The AICPA has proposed a new type of audit engagement, called a Cybersecurity Examination.
The exam consists of a new management assessment of the effectiveness of cybersecurity controls, incorporating COSO’s internal control principles and referencing industry standard frameworks for cybersecurity. It also includes a related auditor’s assertion, based on enhanced and updated standards for trust services engagements.
Although management and auditor assertions under the proposed level of specificity / standardization with respect to cybersecurity are not required by regulators, the engagements are designed to meet increased calls for shoring up and providing transparency to cybersecurity controls and risk management. As such, the intended audience for such reports includes stakeholders concerned about or responsible for overseeing cybersecurity risk management, such as the board of directors.
Specifically, the new cybersecurity exam would be effected through two exposure drafts of proposed standards applicable to management’s description of its cybersecurity controls and related assessment of the effectiveness thereof, and criteria for the auditor’s assertion on cybersecurity controls, respectively:
- “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program,” intended for use by management in designing and describing its cybersecurity risk management program and by public accounting firms to report on management’s description.
- “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” outlining revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2® engagement.
Earlier this year, AICPA President and CEO Barry Melancon explained that the AICPA’s initiatives in cybersecurity are designed for use by public as well as private companies.
As noted in the AICPA’s press release, the exposure drafts for the cybersecurity exam carry a comment deadline of Dec. 5.
Additional information can be found in the AICPA’s Cybersecurity Resource Center.
Busy week in cybersecurity
The AICPA’s announcement caps a week of major cybersecurity developments, including the White House announcing the first federal chief information security officer, who will “drive cybersecurity policy, planning, and implementation across the government,” and the conclusion of the Internet Security Alliance’s Top of the Hill security conference.
The ISA, a private sector organization with private and public sector organizations as its members, was founded in 2001 in conjunction with Carnegie Mellon University to “combine the thought leadership of a think tank with the advocacy of a trade association and the programs of a professional association.” Earlier this year, the ISA published an updated document, “Social Contract 3.0.” The genesis of the ISA bringing together a diverse group of market participants to take a stand on market-based solutions, and to make recommendations to government, is explained on ISA’s Social Contract webpage.
CAQ backs voluntary cybersecurity exam
The Center for Audit Quality is playing an increasingly active role in cybersecurity thought leadership, with its contribution to Chapter 13 of “Social Contract 3.0.” As noted in a related CAQ press release, “Social Contract 3.0” is a report “which provides wide-ranging perspectives and recommendations from numerous industries and professions across the private sector and policy spectrum, is targeted particularly to leadership of the incoming U.S. administration.”
“Social Contract 3.0” cites the importance of the CAQ’s initiative with respect to the role of auditors and finance professionals (emphasis added):Several chapters in this volume, notably chapter three (from the defense sector) and
“Several chapters in this volume, notably chapter three (from the defense sector) and chapter 13 (by the Center for Audit Quality), offer directions for this new system to evolve. Instead of a backward looking, finance-based, pass-fail model we need to create a forward-looking risk management model powered by growth and incentives not penalties and compliance.”
As described in “CAQ: Audit’s role in cybersecurity exams,” by Compliance Week’s Tammy Whitehouse, the CAQ’s chapter in “Social Contract 3.0” references the tie-in between auditor’s cybersecurity exams and other risk frameworks as follows:
“The CAQ’s chapter says an independent cyber-security examination could be aligned with the 17 principles of COSO’s Internal Control — Integrated Framework and mapped to the National Institute of Standards and Technology Cybersecurity Framework as well as the International Organization for Standardization Information Security Management Framework. That would allow companies to choose from among multiple cyber-security internal control frameworks for their risk management approaches.”
In its recommendations in “Social Contract 3.0,” the CAQ notes that added incentives for good governance, including voluntary cybersecurity assertions and exams, can be a powerful market force, noting, “A cybersecurity examination report could be one way to demonstrate good faith effort on the part of management and the board.”
At the same time, the CAQ, whose board consists of leading members of the audit profession and independent board members from the world of corporate governance, notes in “Social Contract 3.0” that it supports voluntary — not mandatory — cybersecurity exams. “Although the AICPA has begun development of a new attest service, we believe that the decision to utilize such a service should rest with each individual company and its board and management and should not become a regulatory requirement,” the CAQ states.