AICPA ASEC Weighs-in on Cybersecurity Risk Management
Weconstantly read and hear about cyber security breaches and/or the increased probability that companies will be breached. The AICPA ASEC (Assurance Services Executive Committee) was tasked with providing direction to the marketplace as the need for information to drive decision-making by all constituents is or will be impacted by a security event.
ASEC has defined a security event as an occurrence, arising either internally or externally, that could pose a threat to the availability, integrity or confidentiality of information or systems from unauthorized access, result in unauthorized disclosure or theft of information or other assets, cause damages to systems and so on.
Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program
In the Exposure Draft titled “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program” the primary objective was outlined as follows:
To propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk-management programs to stakeholders.Such a framework would:
- Provide transparency
- Assess the program effectiveness
- Reduce communication and compliance burden
- Be reasonable complete
- Provide comparability
- Minimize the risk of creating vulnerabilities
- Permit management flexibility
- Connect the dots on best practices
- Be voluntary
- Be scalable and flexible
- Evolve to meet changes
The intent of the framework is to support cybersecurity attestation engagements that meet the informational needs of a broad range of potential report users and that leverage the core competencies of CPAs as providers of these services in accordance with the Code of Professional Conduct and Professional Services.
Three Reporting Levels
After analyzing the needs of the users, the AICPA concluded that three separate types of reports are needed to address the information security reporting needs of market constituents. These reports are at three specific reporting levels and described in the table below.
For now, the focus of the ED covering Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program is only on entity-level reporting.
Withum clients currently working with our Cyber Secure team will read in the ED proposal covering Proposed Description Criteria that an entity’s cybersecurity risk management program is the set of policies, processes and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate and recover from on a timely basis, security events that are not prevented. Our collaboration and focus on an operating environment to Identify, Protect, Detect, Respond and Recover will enable management to use the content with the proposed description criteria. In addition, our assessment analysis is expected to help management determine effectiveness of their controls with the program.
Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy
Along with the cyber risk management proposal, the ASEC also developed an ED titled “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy”, which forms the basis of SOC 2 engagements.
To enable the trust services criteria to also be used in entity-wide engagements, ASEC is reorganizing and revising the extant trust services criteria to more closely align with the 17 principles in Internal Control—Integrated Framework, an internal control framework revised in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013).
The proposed revisions to the trust services have been adapted from the principles in the COSO 2013 framework and include supplemental criteria that apply to engagements using trust services criteria over security, availability, processing integrity, confidentiality or privacy.
They also include points of focus related to each criterion. The points of focus represent important characteristics of the control criteria. Management may determine that some of the points of focus are not suitable or relevant and may identify and consider other characteristics based on specific circumstances of the entity.
The goal behind the restructure and added supplemental criteria is to better address cybersecurity risks in engagements using the trust services criteria. The supplemental criteria that was added addresses the following:
- Logical and physical access controls
- System operations
- Change management
In conclusion, the AIPCA believes that an entity, its board of directors and its shareholders will be best served if a defined set of information intended to meet their common needs address cybersecurity concerns.
Comments on the proposed description criteria and proposed Trust Services Criteria are due on December 5, 2016. Because the commentary process may not result in comments from all important classes of stakeholders, the AIPCA is working with the Center for Audit Quality to obtain additional input.
In addition to the two sets of proposal criteria, the AICPA ASEC Cybersecurity Working Committee is working in conjunction with the AICPA Auditing Standards Board to develop an attestation guide which will provide guidance to CPAs on how to perform cybersecurity examination engagements in accordance with the AIPCA attestation standards. This guide does not require the use of AIPCA developed description criteria and Trust Services Criteria, rather management and the auditor may use any suitable description criteria and controls criteria.
See all the detail on the Exposure Drafts and the Cybersecurity: A Backgrounder documents here.
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.