AICPA Framework related to Cybersecurity Risk Management
Issued: |
April 26, 2017 |
Effective date: |
Not applicable. There is no requirement to adopt this AICPA Framework in Canada. |
Overview
At a time when organizations around the world are facing cybersecurity attacks, it is more important than ever for them to demonstrate to key stakeholders the extent and effectiveness of their cybersecurity risk management efforts. To help businesses meet this growing challenge, on April 26, 2017, the American Institute of CPAs (AICPA) has introduced a market-driven, flexible and voluntary cybersecurity risk management reporting framework.
The AICPA’s new framework intends to enable all organizations – in industries worldwide – to take a proactive and agile approach to cybersecurity risk management and to communicate on those activities with stakeholders. Two resources that support reporting under the framework were released on April 26, 2017: (i) Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description; and (ii) Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program. For further details of the development of the Description criteria, refer to the related completed AICPA project.
A third resource for CPAs was released in May 2017, namely an Attest guide. This guidance, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, was published to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.
For more information and links to resources for CPAs providing cybersecurity advisory and assurance services, visit the AICPA’s Cybersecurity Resource Center. In addition, see Deloitte’s discussion of a cybersecurity risk management examination.
Recent developments
Date |
Development |
Comments |
|
April 2017 |
AICPA Framework related to Cybersecurity Risk Management issued |
|
|
May 2017 |
AICPA Attest Guide - Reporting on an Entity’s Cybersecurity Risk Management Program and Controls |
|
Amendments under consideration
- None