AICPA Proposes Criteria for Cybersecurity Risk Management
Sep 19, 2016
On September 19, 2016, the Assurance Services Executive Committee of American Institute of CPAs (AICPA) released two sets of criteria on cybersecurity for public comment, which the institute hopes will start to lay the groundwork for a new set of assurance services.
The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.
The second, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.
Comments on the cybersecurity attestation exposure drafts are due by December 5, 2016.
Review the press release on the AICPA's website.