AICPA advises on cybersecurity risk management

By Ranica Arrowsmith for AccountingToday.com

The American Institute of CPAs has developed a guide titled “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls” to help CPAs examine and report on client organizations’ cybersecurity risk management programs.

The guide aims to help CPAs provide a new assurance service to evaluate a client’s description of its cybersecurity risk management program. The resulting report is hoped to help clients demonstrate to their stakeholders that they have sound cybersecurity procedures and practices.

This new guide comes on the heels of the release of description and control criteria for cybersecurity programs released by the AICPA last month.

“At the AICPA, we saw the emerging market need several years ago,” AICPA executive vice president Susan S. Coffey, CPA, CGMA said in a blog post. “We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats … [This] framework is designed to meet the information needs of a broad range of third-party users. It provides organizations with a common language to use when evaluating and reporting on their cybersecurity efforts, and gives them a level of comfort that they’ve adequately considered best practices when designing, implementing and operating their programs.”

The guidelines were assembled by AIPCA’s Auditing Standards Board and Assurance Services Executive Committee. For more information, click here.