Cybersecurity risk – the CPA profession’s response — AICPA develops Cybersecurity Risk Framework

In the olden days crooks had to break into a business to rob it…not anymore. Cyberattacks are spreading.  Cyberattacks are an attempt by hackers to damage or destroy a computer network or system or to misappropriate information from one.  Companies are under increasing pressure to protect the assets and the confidential information they possess.  Historically a company’s internal controls were the procedures to prevent, detect and correct errors – and also reduce the risk that assets will be misappropriated.  Management is under pressure to demonstrate to owners and customers that they are effectively managing cybersecurity threats and that they have effective controls and procedures in place to detect, mitigate, respond to and recover from cybersecurity threats.

To address this need, the AICPA has developed a “cybersecurity risk management reporting framework (Framework)” that assists management develop effective control process.

black and grey device
Photo by Pixabay on


The Framework provides senior management, boards of directors and other interested parties with useful information for decision-making about an organization’s cybersecurity risk management program. And it provides organizations with a context for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.

What types of issues does the Framework address?

  • Communication procedures
  • Processes and programs to evaluate the program’s effectiveness
  • Policies, processes, and controls to detect, respond to, mitigate, and recover in the event of a cybersecurity breach
  • Communication
  • Responses to breaches at relevant vendors and businesspartners
  • Cyber event simulation
  • Mitigation and risk transfer options (including cyber insurance coverage)
  • Staffing and access to internal and external skills

The Framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.

CPAs and management can use the cybersecurity criteria to help benchmark their evaluation of the entity’s cybersecurity framework.  CPAs can use the framework to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Ultimately, the CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.

CPAs can use the cybersecurity framework to provide attestation services by performing an examination of management’s program or as non-attest consulting services where they give information and recommendations to management.

CPAs will consider the criteria from the perspective of these categories:

  1. Nature of Business and Operations. Disclosures about the nature of the entity’s business and operations.
  2. Nature of Information at Risk. Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses, and stores that is susceptible to cybersecurity risk.
  3. Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives). Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, integrity of data, and integrity of processing and the process for establishing, maintaining, and approving them.

Use of the Framework

The framework may prove to be a valuable resource for CPA firms to enhance their own cybersecurity risk management programs and to provide professional services to clients – both consulting services and attestation services.

Enhancing the CPA firm’s programs

Prior to providing professional services to clients, CPA firms may find the framework suitable for strengthening and enhancing its own cybersecurity risk management programs.  CPA firms are often targets of cyberattacks due to the sensitive nature of client data processed – such as social security number, birth dates and banking information.

Consulting services

Perhaps the first engagements CPAs will provide their clients are consulting engagements where the practitioner gives recommendations and assistance to their clients in strengthening their cybersecurity risk programs.  Companies may turn to their CPA firms for assistance – and CPAs may be in a good position to suggest a consulting engagement while performing other professional services for their clients.  As with other non-attest consulting services, however, CPAs may need to consider threats to independence, if applicable. CPA firms also need to be sure that they have sufficient qualified personnel to perform the services and that they carefully communicate the scope of the proposed services and reach an understanding with the client on the services they agree to deliver.

Examination of management’s cybersecurity program

Should the entity engage the CPA practitioner to examine its assertion about its cybersecurity program, the presentation will have three components:

The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program. Management’s description is intended to provide users with information that will help them better understand the entity’s cybersecurity risk management program.

The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

The third component is a practitioner’s report, which contains an opinion. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

What’s next?

Cybersecurity threats and managements response to those threats may be relatively new.  But this is a growing concern that will not disappear. The CPA professional has developed tools and techniques that CPAs may use in their own practice and to provide professional services to clients.  This article provided a very brief overview of the new AICPA framework and how CPAs can become involved.  If you are interested in a deeper dive, more resources can be found the AICPA’s website, “SOC for Cybersecurity: Information for CPAs”.

Andrew M. Mintzer, CPA is a forensic accounting with the Los Angeles office of Hemming Morse, LLP.  He is a past chair of the California Society of Certified Public Accountants.

This article discusses professional services in general – I have not considered any specific situations.  The application of standards to a particular situation depends on the specific facts and circumstances and analysis of the applicable accounting standards.  Therefore this article is educational in nature and does not represent professional accounting advice or services.

GAAP Matters – will debt classification change…will AICPA independence rules change?

Groups oppose the change proposed by the FASB, and…

New Lease GAAP accounting prompts a change in the AICPA’s auditor independence standard

Both the Private Company Council (PCC) and the Investor Advisor Committee (IAC) have recommended that the FASB reconsider and change its decision on a proposed GAAP standard dealing with debt classification (ASC Topic 470)

money coins finance cash
Photo by Tookapic on

The FASB has proposed and considered a change to GAAP that would affect the classification of debt. This proposal affects when debt can be classified as a non-current liability.  Classification as current vs non-current affects some key financial statement measures.

Generally, classification of debt as “long-term” is not available to instruments which will mature and become due within one year of the balance sheet date.  Under the proposal, debt “should” be classified as long-term (i.e. noncurrent) if “The entity has a contractual right to defer settlement of the liability for at least one year (or operating cycle, if longer) after the balance sheet date. If, before the balance sheet date, an arrangement is in place with a third party (for example, a line of credit) that would result in the entity avoiding the transfer of current assets within 12 months from the balance sheet date, the debt should be classified as noncurrent because the entity has a contractual right to defer settlement.”

The PCC requested that the FASB reconsider its prior decision to allow companies to classify debts due within 12 months as long-term debt if the company has unused long-term financing arrangements at the balance sheet date.  The PCC stated that the FASB decision to consider unused long-term financing arrangements adds complexity and is therefore not in line with its intent to simplify balance sheet classification of debt.

The IAC recommended the Board change its tentative decision to reclassify current debt as a non-current liability based sole on unused long-term financing arrangements – such as a line of credit.  The groups consider the analysis of whether the entity can use the line of credit to effectively extend the repayment of the debt to be somewhat complex as it could potentially include assessing the reasonableness that the line of credit will not be needed for other liquidity needs along with an assessment of terms and conditions of the credit line.

We have here an example where both the PCC and IAC, despite their varying  stakeholders and perspectives, have provided somewhat similar feedback to the FASB. According to the FASB website, the PCC is the primary advisory body to the FASB on private company matters. The PCC uses the Private Company Decision-Making Framework to advise the FASB on the appropriate accounting treatment for private companies for items under active consideration on the FASB’s technical agenda. According to the FASB’s website, the IAC is a standing committee that is expected to work closely with the FASB in an advisory capacity to ensure that investor perspectives are effectively communicated to the FASB on a timely basis in connection with the development of financial accounting and reporting standards.

And speaking of debt…AICPA Code of Conduct interpretation change is on the horizon for CPAs who have lease arrangements with clients

At its upcoming meeting the AICPA’s Professional Ethics Executive Committee (PEEC) will consider adopting a change to the independence interpretation that affects CPAs who have lease arrangements with their clients. This proposed revision was originally considered and exposed for comment by PEEC while I was a member of the PEEC.

The existing “Leases” independence interpretation provides that a lease between the CPA and the attest client does not impair independence if the lease is an operating lease – and – the lease terms are comparable with leases of a similar nature, and all amounts are paid in accordance with the lease terms and provisions. This existing interpretation also provides that a capital lease impairs independence because it is considered be a prohibited loan with the attest client.

The FASB has since adopted authoritative GAAP that when effective will significantly affect the operating versus capital lease interpretation which iscodified in ASC 842, Leases. Calendar year-end public business entities will adopt the new leases standard on January 1, 2019. Thus, PEEC determined it needed to consider how that GAAP change affects the Code of Professional Conduct.

The proposed revision to the Code of Conduct replaces the extant GAAP categorization approach with a conceptual framework approach, allowing for the consideration of factors that PEEC believes truly affect the CPA’s objectivity and professional skepticism. PEEC has stated that it does not believe that objectivity and professional skepticism are affected by whether a lease is an operating lease or a capital lease, per se, but believes that other factors related to the lease and the relationship should be considered in arriving at a conclusion on independence.

While the GAAP lease categorization requirements have been proposed to be eliminated from the revised interpretation, the other requirements remain in the proposed revised interpretation as minimum safeguards. Once these minimum safeguards are met (where applicable), the CPA is required to use a threats and safeguards approach, evaluating any other threats identified and applying safeguards when necessary.

PEEC is set to take up the final adoption of its proposal in the summer of 2018…I will follow its progress and provide additional analysis as information becomes available.