Article written by:
Michael Purcell, CPA
Assurance Manager


Cybersecurity continues to be a hot button topic for all businesses. Just a few weeks ago, 237,000 systems in 150 countries were infected by the WannaCry attack in a period of a few days. Whether protecting from ransomware, data breaches, unauthorized intrusion and control of Internet of Things (IoT) devices, or other cybersecurity attacks, organizations in all lines of business have been affected. Affected organizations may face monetary losses, litigation, loss of goodwill and brand reputation, and possible bankruptcy.

In an effort to help organizations with cybersecurity risk management, and report on cybersecurity controls to management, shareholders, Board members, investors and analysts, the American Institute of Certified Public Accountants (AICPA) has recently published a voluntary cybersecurity risk management reporting framework. The framework outlines nine different categories for organizations to evaluate, along with guided points of emphasis to assess the organization’s cybersecurity risks.  Based on assessed risks, organizations perform an assessment of their readiness to respond to remaining unmitigated risks. If controls are missing, the guidance assists management, and shareholders select and implement appropriate control activities from a number of widely used internal control frameworks. The guidance also assists management’s report on the effectiveness of the controls in place. Completion and reporting of the organization’s assessment is voluntary, but provides a consistent and standard evaluation model for users across businesses and industries.

The AICPA also issued guidance for CPA firms to provide attestation services and report on the effectiveness of the organization’s controls. CPA firms will provide an opinion on the organization’s description of cybersecurity risks in accordance with the risk management reporting framework and the effectiveness of the organization’s identified control activities. The report is appropriate for general use and is intended to provide a wide base of users with information about the organization’s cybersecurity risk management programs, a key distinction from a SOC 2 engagement.

Further guidance and resources from the AICPA can be found at: AICP SOC for Cyber Security


« Back