The AICPA on May 23, 2017, released the Audit and Accounting Guide (AAG) AAG: Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (aag-cyb) to provide a framework for managing cybersecurity risks.
The guide explains how to implement the framework and report on an organization’s program for managing technology risks on a company-wide basis, the AICPA said. It also provides criteria for describing a risk management program and evaluating a client’s controls for managing technology risks. The Trust Services Criteria (TSP) Section 100, “2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” can be used for evaluating a client’s controls or when consulting about cybersecurity.
The AICPA said the cybersecurity risk management examination is part of the AICPA’s line of System and Organization Controls—or SOC—guidance. On April 25, the AICPA’s Assurance Services Executive Committee (ASEC) released a reporting framework for managing cybersecurity risks that included TSP Section 100, which was issued to replace TSP Section 100A , “Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.” The amended framework aligns the ASEC’s guidance with the Internal Control—Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the AICPA said. It also updates the trust services guidance to address computer risks. Other changes that are meant to make the guidance easier to apply. It also includes criteria for describing management’s risk management practices and guidance for accountants to use when evaluating a client’s cybersecurity management.
The AAG: Reporting on Cybersecurity Risk Management also provides interpretive guidance for cybersecurity examinations and illustrative examples of reports from an accountant that deal with managing cybersecurity risks.
For more information on this topic, or to learn how Baker Tilly accounting and assurance specialists can help, contact our team.
We have partnered with Thomson Reuters to issue our monthly Accounting insights. Please feel free to contact Baker Tilly at email@example.com if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. © 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.