AICPA Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program [Completed]

Issued:

April 26, 2017

Effective Date:

Not applicable. There is no requirement to adopt this AICPA material in Canada

Last up­dated:

April 2017

Overview

On September 19, 2016, the AICPA issued an exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. It is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.

By way of background, in response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the U.S. auditing profession, through the AICPA, is developing a new engagement that CPAs can use to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of an entity’s cybersecurity risk management program.

The cybersecurity examination to be described in the cybersecurity attestation guide will be performed in accordance with the attestation standards. Under those standards, an attestation engagement is predicated on the concept that a party other than the practitioner1 makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. The attestation standards state that, in an examination engagement, the responsible party (generally, that is management in a cybersecurity examination engagement) takes responsibility for the subject matter.

In the cybersecurity examination, management makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. The subject matter of the cybersecurity examination includes the following: (i) A description of the entity’s cybersecurity risk management program in accordance with the description criteria; (ii) An assessment of the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria.

Because management is ultimately responsible for the entity’s cybersecurity risk management program and the operation of the controls within that program, it is management’s responsibility to develop and present, in the cybersecurity report, a description of the entity’s cybersecurity risk management program. Management also is responsible for selecting both the description criteria and the control criteria to be used in the engagement.

This exposure draft presents only the description criteria for use when preparing the description of the entity’s cybersecurity risk management program. In addition to the description criteria, this exposure draft also presents points of focus that represent important characteristics of the description criteria.

For fur­ther de­tails see the press re­lease and related information on the AICPA’s Web site. 

On April 26, 2017, the AICPA issued its Framework related to Cybersecurity Risk Management which includes the final version of the above De­scrip­tion cri­te­ria – for use by man­age­ment in ex­plain­ing its cy­ber­se­cu­rity risk man­age­ment pro­gram in a con­sis­tent man­ner and for use by CPAs to re­port on man­age­ment’s de­scrip­tion. See related standard for further details - AICPA Framework related to Cybersecurity Risk Management. There is no requirement to adopt this AICPA guidance in Canada.

Other de­vel­op­ments

April 2017

On April 26, 2017, the AICPA is­sued the De­scrip­tion Cri­te­ria for Man­age­ment’s De­scrip­tion of an En­tity’s Cy­ber­se­cu­rity Risk Man­age­ment Pro­gram as part of its AICPA Framework related to Cybersecurity Risk Management. There is no requirement to adopt this AICPA guidance in Canada

September 2016

On September 19, 2016, the AICPA issued an exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. It is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.