Appendix A

Information for Entity Management

The purpose of this appendix is to assist management with understanding the cybersecurity risk management examination that can be performed by a CPA (practitioner) in connection with certain entity-prepared cybersecurity information. It is also intended to help management understand and discharge its responsibilities in connection with that engagement. This appendix is nonauthoritative and is included for informational purposes only.

Introduction

In response to requests for information about the effectiveness of an entity’s cybersecurity risk management program, the AICPA has developed the cybersecurity risk management examination. In conjunction with that examination, the AICPA has also developed description criteria for use when preparing and evaluating the description of the entity’s cybersecurity risk management program and control criteria for use when evaluating the effectiveness of controls within the entity’s cybersecurity risk management program.

Overview of the AICPA Cybersecurity Risk Management Examination

A CPA (referred to as a practitioner in an attestation engagement) performs and reports in the cybersecurity risk management examination in accordance with the Statements on Standards for Attestation Engagements, commonly known as the attestation standards. Under those standards, an attestation engagement is predicated on the concept that a party other than the practitioner (that is, the responsible party) makes an assertion ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial