This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice ( for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

AICPA Framework related to Cybersecurity Risk Management


April 26, 2017

Effective date:

Not ap­plic­a­ble. There is no re­quire­ment to adopt this AICPA Framework in Canada.



At a time when organizations around the world are facing cybersecurity attacks, it is more important than ever for them to demonstrate to key stakeholders the extent and effectiveness of their cybersecurity risk management efforts. To help businesses meet this growing challenge, on April 26, 2017, the American Institute of CPAs (AICPA) has introduced a market-driven, flexible and voluntary cybersecurity risk management reporting framework.

The AICPA’s new framework intends to enable all organizations – in industries worldwide – to take a proactive and agile approach to cybersecurity risk management and to communicate on those activities with stakeholders. Two resources that support reporting under the framework were released on April 26, 2017: (i) Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description; and (ii) Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program. For further details of the development of the Description criteria, refer to the related completed AICPA project.

A third resource for CPAs was released in May 2017, namely an Attest guide. This guidance, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, was published to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

For more information and links to resources for CPAs providing cybersecurity advisory and assurance services, visit the AICPA’s Cybersecurity Resource Center. In addition, see Deloitte’s discussion of a cybersecurity risk management examination.


Recent developments




April 2017

AICPA Framework related to Cybersecurity Risk Management is­sued

There is no re­quire­ment to adopt this AICPA Framework in Canada

May 2017

AICPA Attest Guide - Reporting on an Entity’s Cybersecurity Risk Management Program and Controls

There is no re­quire­ment to follow this AICPA Attest Guidance in Canada

Amendments under consideration

  • None

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.