To help tax professionals and their clients manage cybersecurity risk, the American Institute of CPAs issued a voluntary reporting framework in April that lays out a “proactive and agile” approach to risk management, according to a statement from AICPA.
“Cybersecurity threats are escalating, thereby unnerving boards of directors, managers, investors and customers of businesses of all sizes — whether public or private,” Susan S. Coffey, executive vice president for public practice for AICPA, said in a statement.
The resources are designed to facilitate communication and risk management regarding cybersecurity.
In mid-April, AICPA’s Assurance Services Executive Committee released description criteria to help management teams lay out their cybersecurity program in a common language, and to help CPAs report on that program.
AICPA also produced control criteria, which is available for purchase, to help CPAs evaluate a client’s cybersecurity program.
In May, AICPA released an attestation guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” to serve as an interpretive publication to sections in the Statements on Standards for Attestation Engagements No. 18, published in April 2016. Those sections address requirements for CPAs who perform attestation examinations for their clients’ cybersecurity programs.
The guide includes an overview of the risks to a firm from a data breach; steps for accepting, planning and performing a risk management exam; and how to evaluate and report on the results, as well as information about professional standards and codes of conduct.
The criteria and guide are part of AICPA’s System and Organization Controls (SOC) for Cybersecurity service offerings, a suite of services that CPAs may offer their clients. AICPA is currently working on resources to help CPAs report on clients’ cybersecurity risk in their vendor supply chains.
— Read Edward Snowden Talks WannaCry Attack, Blockchain, Financial Regs on ThinkAdvisor.