As cyber security threats continue to increase, investors, boards of directors and companies of all sizes and industries are increasingly looking for an appropriate method to evaluate their security posture to address these threats. The American Institute of Certified Public Accountants (“AICPA”) has introduced a cyber security risk management reporting framework to help auditors and companies demonstrate what they are doing to safeguard against data breaches, hacking and other technology-related dangers.

A Common Framework

As I have written about previously, there are numerous benchmarks for an organization to select from when evaluating the adequacy of its defense against external cyber threats. However, due to the variability of these benchmarks, it has been difficult for companies to provide meaningful reporting and communication of their cyber security risk management programs. With the introduction of the AICPA Cyber Security Risk Framework, organizations now have a common language that will be consistent across industries rendered by a CPA, an acknowledged resource for providing an independent assessment of an organization’s controls.

As with opining on the accuracy of an organization’s financial statements, CPAs will now deliver an opinion on an entity’s cyber security risk management program. This is a natural extension of the CPA’s experience in auditing information technology controls and will be based upon two resources incorporated in the Cyber Security Risk Framework.

Two resources under the new framework

1. Description criteria- Management can use this to explain a company’s cyber security risk management program. CPAs can also use this to report on the accuracy of management’s explanation.
2. Control criteria- Evaluates and reports on the effectiveness of the controls within a company’s program. It is used by CPAs who are offering advisory or attestation services.

Both resources are currently available and in May a third resource will be offered called “The Attest Guide” which will further assist CPAs with examining and reporting on an entity’s cyber security risk management program.

Benefits for stakeholders

Companies worldwide will be able to explain how they’re managing cyber security risk with the new framework. Since cyber security threats are escalating, stakeholders are increasingly wary of trusting a company with sensitive information. This tool will allow investors, audit committees, boards, and business partners the ability to gain a better understanding of the effectiveness of management’s efforts to curb cyber security risk. The new reporting will also allow third parties to assess an entity’s cyber security risk program and compare it to other security programs in a variety of industries.

Questions on your organization’s cybersecurity efforts? Contact any member of our Information Security Services Team.