This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

Deloitte comments on AICPA's proposed description criteria

Published on: Dec 09, 2016

Deloitte & Touche LLP comments on the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.

An excerpt from the comment letter is shown below:


1. Are there any unnecessary or otherwise not relevant description criteria or points of focus? Please provide a list.

As noted in our response to Question 3 below, we believe that entities are unlikely to provide the information requested in DC8 as it could provide information to an attacker that would be useful.

2. Are there any missing description criteria or points of focus? Please provide a list.

DC25 – We recommend adding the following to the list included in the point of focus:

xvi. Multifactor or adaptive authentication
xvii. Malware protection
xviii. Vulnerability management programs

DC27 – We recommend adding the following point of focus:

The process by which management is notified of security events from third parties

3. Are there any description criteria or points of focus that would result in disclosure of information that would increase the risk of a security event? Please provide a list.

DC8 – We believe that it is unlikely that entities are going to provide the requested information because it may provide a profile of the organization that would be useful to an attacker and even if the information were to be provided, the criteria for determining what would be an “incident” is unclear.

4. Do you have any concerns about the measurability of any of the description criteria or points of focus?Please provide a list.

DC5 – We believe the terminology in the last bullet is vague as it is uncertain what the measurement would be for “outdated” or “unsupported.” Accordingly, we recommend the following change:

Dependency on strategically significant IT equipment and systems that are outdated or unsupported or both no longer supported

5. The AICPA developed the description criteria and related points of focus using an approach similar to the one used by COSO when developing its Integrated Framework—Internal Control. Similar to the COSO approach, a description of the entity’s cybersecurity risk management program prepared in accordance with the description criteria would include information about each of the criteria in this document. The points of focus related to the criteria are important characteristics of the criteria. Consistent with the COSO approach, management may determine that some of the points of focus are not suitable or relevant and may identify and consider other characteristics based on specific circumstances of the entity. Points of focus assist management in determining the matters to be addressed in the presentation. However, use of the criteria does not require management to address every point of focus in its description. Do you believe this approach is appropriate? If not, please describe the approach you would recommend.

D&T agrees with the proposed approach laid out in the exposure draft.

Full text of the comment letter is available below.


Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.