AICPA Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program [Completed]
Issued: |
April 26, 2017 |
Effective Date: |
Not applicable. There is no requirement to adopt this AICPA material in Canada |
Last updated: |
April 2017 |
Overview
On September 19, 2016, the AICPA issued an exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. It is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.
By way of background, in response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the U.S. auditing profession, through the AICPA, is developing a new engagement that CPAs can use to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of an entity’s cybersecurity risk management program.
The cybersecurity examination to be described in the cybersecurity attestation guide will be performed in accordance with the attestation standards. Under those standards, an attestation engagement is predicated on the concept that a party other than the practitioner1 makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. The attestation standards state that, in an examination engagement, the responsible party (generally, that is management in a cybersecurity examination engagement) takes responsibility for the subject matter.
In the cybersecurity examination, management makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. The subject matter of the cybersecurity examination includes the following: (i) A description of the entity’s cybersecurity risk management program in accordance with the description criteria; (ii) An assessment of the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria.
Because management is ultimately responsible for the entity’s cybersecurity risk management program and the operation of the controls within that program, it is management’s responsibility to develop and present, in the cybersecurity report, a description of the entity’s cybersecurity risk management program. Management also is responsible for selecting both the description criteria and the control criteria to be used in the engagement.
This exposure draft presents only the description criteria for use when preparing the description of the entity’s cybersecurity risk management program. In addition to the description criteria, this exposure draft also presents points of focus that represent important characteristics of the description criteria.
For further details see the press release and related information on the AICPA’s Web site.
On April 26, 2017, the AICPA issued its Framework related to Cybersecurity Risk Management which includes the final version of the above Description criteria – for use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description. See related standard for further details - AICPA Framework related to Cybersecurity Risk Management. There is no requirement to adopt this AICPA guidance in Canada.
Other developments
April 2017
On April 26, 2017, the AICPA issued the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program as part of its AICPA Framework related to Cybersecurity Risk Management. There is no requirement to adopt this AICPA guidance in Canada
September 2016
On September 19, 2016, the AICPA issued an exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program. It is intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.