This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice ( for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

AICPA Proposes Criteria for Cybersecurity Risk Management

  • US_AICPA Image

Sep 19, 2016

On September 19, 2016, the Assurance Services Executive Committee of American Institute of CPAs (AICPA) released two sets of criteria on cybersecurity for public comment, which the institute hopes will start to lay the groundwork for a new set of assurance services.

The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.

The second, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

Comments on the cybersecurity attestation exposure drafts are due by December 5, 2016.

Review the press release on the AICPA's website.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.