Cybersecurity Risk Management Reporting Framework
On April 26, 2017, the AICPA announced the release of a voluntary reporting framework that addresses risk management and reporting of cybersecurity threats. With the announcement, two sets of criteria under the framework were released:
- “Description criteria – For use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPAs to report on management’s description.
- “Control criteria – Used by CPAs providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.”
The attest guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” was released in May.