Financial

Sizing up risk management: Accountants issue guide for cyber audits

The largest professional organizations for qualified accountants issued guidance to its members this week about how to audit management claims about their company's cybersecurity.

By Shaun Waterman

May 26, 2017

(Getty Images)

The largest professional organizations for qualified accountants issued guidance to its members this week about how to audit management claims about a company’s cybersecurity.

The new guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, is part of the voluntary cybersecurity risk management reporting framework the American Institute of Certified Professional Accountants is producing this year.

“Our intent is to establish a common, underlying language for cybersecurity risk management reporting — almost akin to U.S. [Generally Accepted Accounting Principles or] GAAP … for financial reporting,” AICPA says in a factsheet about its framework.

Two other elements were published last month:

Description criteria – A list of categories of information that management have to provide about their cybersecurity risk management program, in a consistent manner.

Control criteria – The measures a CPA should use “to evaluate and report on the effectiveness of the controls within a client’s [cybersecurity] program.”

Alongside the two sets of criteria, the framework consists of a description of the company’s cybersecurity program prepared by management, management’s assertion about that program, and a CPA’s opinion on it. Taken together the framework’s elements provide “a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts,” AICPA says.

The 263-page guide includes chapters on “Accepting and planning a cybersecurity risk management examination;” “Performing the cybersecurity risk management examination;” and “Forming the opinion and preparing the practitioner’s report.”

“At the AICPA, we saw the emerging market need several years ago,” said AICPA Executive Vice President for Public Practice Susan Coffey in a blog post Tuesday. “We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place.”

She added that “This lack of transparency makes it difficult for stakeholders [like vendors, business partners or shareholders] to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats.”

A vendor/supply chain guide is expected to be issued during 2018.

Sizing up risk management: Accountants issue guide for cyber audits

More Like This

Proposed data broker regulations draw industry pushback on anonymized data exceptions, bulk thresholds

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

Federal agencies are falling behind on meeting key privacy goal set five years ago

Top Stories

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

CISA ransomware warning program set to fully launch by end of 2024

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

More Scoops

Treasury report calls out cyber risks to financial sector fueled by AI

Your company should manage your cyber risk like any other risk

NSA-approved cybersecurity law and policy course now available online

As threats increase, audit finds federal agencies struggle to implement cyber plans

DHS to unveil National Risk Management Center

OMB slams agencies on cyber risk, calls for ‘bold’ new approaches

NIST wants to the federal government to pay more attention to the supply chain

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics