« Tips for Stress-Free Summer Travel | Main | Learning from Prince’s $250 Million Mistake »

It’s Time to Speak the Same Language on Cybersecurity

Cybersecurity 3Recent massive ransomware attacks on organizations around the world demonstrate how disruptive—and in some cases destructive—cyberattacks can be. The “WannaCry” malware incident is just the latest alarm on the ever-urgent call for companies to immediately address and manage their cybersecurity risks. Every organization is susceptible to cyber assaults, making a clearly defined, flexible and robust risk management program essential to a business’s ongoing success.

Addressing an Increasing Market Need

With cyberattacks on the rise, organizations are not only reinforcing their ability to prevent attacks, but also taking steps to demonstrate that they are doing all they can to detect, respond to, mitigate and recover from attacks on a timely basis. Customers, investors, boards of directors and even government officials want to know more about what companies are doing to address cybersecurity.

At the AICPA, we saw the emerging market need several years ago. We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats. We asked our Auditing Standards Board (ASB) and Assurance Services Executive Committee (ASEC) to work together to develop a voluntary, agile, market-driven solution.

Cybersecurity Reporting Framework Creates a Common Language

The AICPA has released a cybersecurity risk management reporting framework developed by a group of ASEC members representing a broad swath of CPA practitioners providing IT security services to clients in a wide range of businesses and industries. The framework consists of a description of the entity’s cybersecurity program prepared by management, a management’s assertion, and a CPA’s opinion. Together with two sets of related criteria, the framework provides a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts.


The framework is designed to meet the information needs of a broad range of third-party users. It provides organizations with a common language to use when evaluating and reporting on their cybersecurity efforts, and gives them a level of comfort that they’ve adequately considered best practices when designing, implementing and operating their programs. 

Because the framework is aligned with security frameworks and standards organizations frequently use internally to manage their cybersecurity risks, it offers a way for companies in all industries to evaluate and report on the effectiveness of cybersecurity controls, regardless of the security standards or frameworks they use internally. 

The Accounting Profession’s Critical Role

The accounting profession plays a vital role in the many facets of cybersecurity risk management, and our reporting framework facilitates this work in the following ways:

  • Within their organizations, management accountants can help colleagues understand the importance of the role all staff members play in helping the organization achieve its cybersecurity goals. Management accountants more directly involved with the organization’s cybersecurity efforts can promote awareness and use of the framework as a means of communicating those efforts, both internally and externally, and of evaluating the effectiveness of the organization’s controls in achieving its cybersecurity objectives. 
  • CPAs can help their clients by providing cybersecurity risk management advisory services, such as an assessment of clients’ cybersecurity readiness to prepare those considering an examination. Of course, the framework is used by CPAs with significant experience assessing IT controls in a cybersecurity examination. As in a financial statement audit, a CPA’s opinion is designed to enhance stakeholders’ confidence in the cybersecurity information prepared by company management.

Learn More

The AICPA today released the final component of the new cybersecurity risk management framework. Reporting on an Entity's Cybersecurity Risk Management Program and Controls is the attestation guide for CPAs engaged to examine and report on their client’s cybersecurity risk management programs and controls. The guide presents a new offering to help firms protect clients, their stakeholders and the public interest.    

For more information on the AICPA’s cybersecurity risk management reporting framework, visit aicpa.org/cybersecurityriskmanagement. You’ll find the reporting framework’s free description criteria, plus a fact sheet, backgrounder, illustrative report and other valuable free resources. In addition, the site contains links to the framework’s control criteria (2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy).

The AICPA’s cybersecurity risk management reporting framework and related criteria are a critical tool in the arsenal against today’s biggest business threat. Here are just a handful of other existing and upcoming resources to broaden accountants’ understanding of cybersecurity risks and implement the new cybersecurity risk management reporting framework:

I hope you’ll join me and the rest of the accounting profession in contributing to more effective ways to combat and conquer cyber assaults. Visit aicpa.org/cybersecurity for more information.

You can watch a rebroadcast of a Facebook Live session on cybersecurity with Joel White, Senior Director - Internal Audit, Risk, and Compliance. 

Susan S. Coffey, CPA, CGMA, Executive Vice President - Public Practice, Association of International Certified Professional Accountants

Cybersecurity courtesy of Shutterstock.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily