Companies and their auditors should employ a common language in evaluating the effectiveness of cybersecurity risk management programs, the American Institute of CPAs said.
To jump-start the process, the organization released a cybersecurity risk management reporting framework on April 26.
A fact sheet accompanying the document likened the common language to U.S. generally accepted accounting principles or International Financial Reporting Standards that are for financial reporting.
“This framework is voluntary and guided by customer needs and market trends,” Erin Mackler, AICPA’s director of assurance and advisory services—SOC reporting, told Bloomberg BNA on May 2. “We feel it will enable all organizations to be proactive and agile in cybersecurity risk management and to communicate on their cybersecurity efforts to key stakeholders.”
“The framework can be used by all entities, including employee benefit plans, although it is too soon to offer specific insights to those plans,” Mackler said.
The framework provides two distinct but complementary sets of criteria for use in an examination of an entity’s cybersecurity risk management program.
Under the framework, management would prepare certain information about the entity’s cybersecurity management program for the CPA to examine and report on the information in accordance with the AICPA’s attestation standards.
“The framework includes two components: a description criteria used by management to explain its cybersecurity risk management, and a control, outcome-based criteria that management can use to internally evaluate controls and processes in place, or a CPA can provide advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program,” Mackler said. The framework can be used in conjunction with other cyber-related frameworks, such as the NIST Critical Infrastructure Cybersecurity Framework and ISO 27001/27002, she said.
To get the appropriate framework in place, AICPA solicited the views of companies, boards and IT security professionals, Mackler said.
Later this month, the AICPA will issue further guidance to assist CPAs engaged to examine and report on a company’s cybersecurity risk management program, she said.
See related story, AICPA Launches Effort to Improve Cybersecurity Risk Reporting.
Gain a deeper understanding of the legal complexities of employee benefits and executive compensation with a free trial to Bloomberg Law: Benefits and Executive Compensation.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)