Cybersecurity, also known as IT security or computer security, is the protection of information systems and data from theft, disruption or intrusion. In September 2016, the American Institute of Certified Public Accountants (AICPA) issued two exposure drafts relating to cybersecurity:
- Proposed Description Criteria for Management’s Description of an Entity’s Cyber Security Risk Management Program – (Effective upon issuance)
- Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy – (Effective for reports issued after June 15, 2018, with earlier adoption permissible)
The public is encouraged to comment on these proposed standards prior to December 5, 2016.
The first exposure draft responds to an important need in the marketplace. Currently, there are multiple frameworks for evaluating cybersecurity, and the lack of standardization has caused confusion and ambiguity. The AICPA’s proposal would establish common criteria to measure the effectiveness of an entity’s cybersecurity risk management program. It would also allow CPAs and CPA firms — leaders in the auditing profession — to conduct an independent audit of an entity’s IT security and issue a cybersecurity examination report. These examination reports will empower boards of directors, senior management, and other stakeholders to confidently assess the effectiveness of their cybersecurity risk management programs.
The second exposure draft would alter the existing Trust Services Principles and Criteria to be more applicable in evaluating the controls within an entity’s cybersecurity risk management program. It also would reorganize the criteria to more closely align with the 17 principles detailed in Internal Controls — Integrated Framework, an internal control framework revised in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013 framework). See the mapping of the current Trust Services Principles and Criteria to the proposed revisions.
At Accounting and Business Consultants, LLC, we believe the AICPA’s proposals will add clarity and efficiency to cybersecurity risk management and auditing, while ensuring continuous improvement and increased investor confidence. Aligning the Trust Services Principles and Criteria to the COSO 2013 framework will also benefit IT auditors and professionals evaluating internal controls over financial reporting.
Our CPAs and Certified Information Systems Auditors (CISAs) are skilled and trained to assist you in properly evaluating, designing, and implementing your organization’s IT controls. We assess internal controls every day, and we can help you ensure your systems are secure and reliable. Email us at firstname.lastname@example.org to learn more or call 800-930-2923. For more information, click this link or visit http://www.abcpas.com/it-controls-audits.htm