AICPA Unveils Cybersecurity Risk Management Reporting Framework

Don Goettemoeller |

One only needs to skim the daily news to realize that hackers are getting better and cybersecurity is more important than ever. The most recent cyberattack was a strain of ransomware that spread itself across all workstations in a network, causing a global epidemic. Luckily, a programmer developed an internal “kill switch,” which disabled the malware from spreading any further. Regardless of whether your system was impacted by this outbreak or not, there are many lessons to be learned; principally, the need to reinforce fundamental security practices to prepare for the future.

Taking these recent outbreaks into consideration, it is evident that organizations need to make cybersecurity risk management a top priority. To help leaders in the accounting profession reach this goal, the American Institute of CPAs (AICPA) has unveiled a cybersecurity risk management reporting framework that will help companies and auditors communicate cyber risk readiness to stakeholders. The framework is long overdue. Until now, a common language for companies to communicate about their cybersecurity risk management was non-existent. The AICPA’s new framework includes three main resources:

1. Description criteria used by management to explain the organization’s cybersecurity risk management program.

2. Control criteria used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.

3. Attest Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, will be used to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

Cyber threats are constantly evolving; and unfortunately, your cash and customer information are desirable targets. Providing assurance to your team and stakeholders requires intentionality and a plan. Having strong cybersecurity measures in place will help safeguard sensitive information, and the AICPA’s new reporting framework will help you better communicate your preparedness to key stakeholders. If you need any guidance in this area, please reach out to one of our tax advisors.