“Common Language” Envisioned for Cybersecurity Risk Management Audits


Companies and their auditors should employ a common language in evaluating the effectiveness of cybersecurity risk management programs, the American Institute of CPAs said.

To jump-start the process, the organization released a cybersecurity risk management reporting framework on April 26.

A fact sheet accompanying the document likened the common language to U.S. generally accepted accounting principles or International Financial Reporting Standards that are for financial reporting.

“This framework is voluntary and guided by customer needs and market trends,” Erin Mackler, AICPA’s director of assurance and advisory services—SOC reporting, told Bloomberg BNA on May 2. “We feel it will enable all organizations to be proactive and agile in cybersecurity risk management and to communicate on their cybersecurity efforts to key stakeholders.”

“The framework can be used by all entities, including employee benefit plans, although it is too soon to offer specific insights to those plans,” Mackler said.

Complementary Criteria

The framework provides two distinct but complementary sets of criteria for use in an examination of an entity’s cybersecurity risk management program.

Under the framework, management would prepare certain information about the entity’s cybersecurity management program for the CPA to examine and report on the information in accordance with the AICPA’s attestation standards.

“The framework includes two components: a description criteria used by management to explain its cybersecurity risk management, and a control, outcome-based criteria that management can use to internally evaluate controls and processes in place, or a CPA can provide advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program,” Mackler said. The framework can be used in conjunction with other cyber-related frameworks, such as the NIST Critical Infrastructure Cybersecurity Framework and ISO 27001/27002, she said.

To get the appropriate framework in place, AICPA solicited the views of companies, boards and IT security professionals, Mackler said.

Later this month, the AICPA will issue further guidance to assist CPAs engaged to examine and report on a company’s cybersecurity risk management program, she said.

See related story, AICPA Launches Effort to Improve Cybersecurity Risk Reporting.

Gain a deeper understanding of the legal complexities of employee benefits and executive compensation with a free trial to Bloomberg Law: Benefits and Executive Compensation.