In the olden days crooks had to break into a business to rob it…not anymore. Cyberattacks are spreading. Cyberattacks are an attempt by hackers to damage or destroy a computer network or system or to misappropriate information from one. Companies are under increasing pressure to protect the assets and the confidential information they possess. Historically a company’s internal controls were the procedures to prevent, detect and correct errors – and also reduce the risk that assets will be misappropriated. Management is under pressure to demonstrate to owners and customers that they are effectively managing cybersecurity threats and that they have effective controls and procedures in place to detect, mitigate, respond to and recover from cybersecurity threats.
To address this need, the AICPA has developed a “cybersecurity risk management reporting framework (Framework)” that assists management develop effective control process.
The Framework provides senior management, boards of directors and other interested parties with useful information for decision-making about an organization’s cybersecurity risk management program. And it provides organizations with a context for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.
What types of issues does the Framework address?
- Communication procedures
- Processes and programs to evaluate the program’s effectiveness
- Policies, processes, and controls to detect, respond to, mitigate, and recover in the event of a cybersecurity breach
- Responses to breaches at relevant vendors and businesspartners
- Cyber event simulation
- Mitigation and risk transfer options (including cyber insurance coverage)
- Staffing and access to internal and external skills
The Framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.
CPAs and management can use the cybersecurity criteria to help benchmark their evaluation of the entity’s cybersecurity framework. CPAs can use the framework to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Ultimately, the CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
CPAs can use the cybersecurity framework to provide attestation services by performing an examination of management’s program or as non-attest consulting services where they give information and recommendations to management.
CPAs will consider the criteria from the perspective of these categories:
- Nature of Business and Operations. Disclosures about the nature of the entity’s business and operations.
- Nature of Information at Risk. Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses, and stores that is susceptible to cybersecurity risk.
- Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives). Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, integrity of data, and integrity of processing and the process for establishing, maintaining, and approving them.
Use of the Framework
The framework may prove to be a valuable resource for CPA firms to enhance their own cybersecurity risk management programs and to provide professional services to clients – both consulting services and attestation services.
Enhancing the CPA firm’s programs
Prior to providing professional services to clients, CPA firms may find the framework suitable for strengthening and enhancing its own cybersecurity risk management programs. CPA firms are often targets of cyberattacks due to the sensitive nature of client data processed – such as social security number, birth dates and banking information.
Perhaps the first engagements CPAs will provide their clients are consulting engagements where the practitioner gives recommendations and assistance to their clients in strengthening their cybersecurity risk programs. Companies may turn to their CPA firms for assistance – and CPAs may be in a good position to suggest a consulting engagement while performing other professional services for their clients. As with other non-attest consulting services, however, CPAs may need to consider threats to independence, if applicable. CPA firms also need to be sure that they have sufficient qualified personnel to perform the services and that they carefully communicate the scope of the proposed services and reach an understanding with the client on the services they agree to deliver.
Examination of management’s cybersecurity program
Should the entity engage the CPA practitioner to examine its assertion about its cybersecurity program, the presentation will have three components:
The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program. Management’s description is intended to provide users with information that will help them better understand the entity’s cybersecurity risk management program.
The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
The third component is a practitioner’s report, which contains an opinion. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Cybersecurity threats and managements response to those threats may be relatively new. But this is a growing concern that will not disappear. The CPA professional has developed tools and techniques that CPAs may use in their own practice and to provide professional services to clients. This article provided a very brief overview of the new AICPA framework and how CPAs can become involved. If you are interested in a deeper dive, more resources can be found the AICPA’s website, “SOC for Cybersecurity: Information for CPAs”.
Andrew M. Mintzer, CPA is a forensic accounting with the Los Angeles office of Hemming Morse, LLP. He is a past chair of the California Society of Certified Public Accountants.
This article discusses professional services in general – I have not considered any specific situations. The application of standards to a particular situation depends on the specific facts and circumstances and analysis of the applicable accounting standards. Therefore this article is educational in nature and does not represent professional accounting advice or services.