Understanding cybersecurity to be one of the leading risks facing enterprises, the American Institute of Certified Public Accountants (AICPA) recently released its exposure draft for public comment, “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.” The proposed guidance, will provide a common language for companies to use in describing cybersecurity risk management processes, and will serve as the basis for CPAs to examine and report on an entity’s cybersecurity measures. The comment period for this exposure draft is through December 2016, with guidance expected to be released in the first quarter of 2017.
The new cyber attestation will give organizations the ability to better understand elements for an effective cybersecurity risk management and will allow organizations to report to external stakeholders on their cybersecurity programs with the credibility associated with an independent auditor’s report. The new criteria provide an important framework for organizations to communicate useful information about their cybersecurity risk management programs to stakeholders.
The exposure draft defines the following two elements of subject matter to be addressed in the cybersecurity examination:
The exposure draft lays out nine categories that the entity must address in its cybersecurity description. These categories are intended to provide the reader with a comprehensive understanding of the cybersecurity risks affecting a particular entity and the processes and controls the entity has implemented to address those risks.
Within each of the nine categories, the exposure draft identifies more specific description criteria for a total of 32 description criteria that must be addressed.
The exposure draft organizes control criteria and specific points of focus within each of the 32 description criteria. The points of focus are intended to provide management with guidance and flexibility when describing its criteria. It’s important to note that in the preparation of its description, management may not need to address each point of focus. The exposure draft recognizes that certain points may “not be suitable or relevant” in every circumstance and management “may identify and consider other characteristics based on specific circumstances of the entity.” However, the auditor will still need to render an opinion on whether the description is fairly presented in accordance with the description criteria.
Several points within the AICPA’s cybersecurity exposure draft make reference to cybersecurity controls that should be in place. Management should leverage a cybersecurity control framework when implementing cybersecurity controls. The AICPA has also released description criteria via a revised exposure draft of the existing Trust Services Principles and Criteria that could be used as a cybersecurity control framework, or management could use other recognized cybersecurity frameworks if they meet the definition of “suitable criteria.” These controls are necessary to include in the description in order to describe how the entity detects, responds to, mitigates, and recovers from cybersecurity incidents.
The recently released exposure drafts provide the framework for an entity-wide cybersecurity examination engagement. In addition to the additional description criteria related to cybersecurity, the scope of the cyber attestation would be broader and encompass the entire organization, not just the systems processing customer data. In many instances for an organization that already obtains a SOC 2 we anticipate the majority of the controls applicable to the SOC 2 would also be applicable to the cyber examination; however, the cyber examination would likely include a much broader scope and require additional controls as well.
For more information on this topic, or to learn how Baker Tilly cybersecurity and information technology risk specialists can help, contact our team.