Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls by American Institute of Certified Public Accountants

Appendix F-2

Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time

This illustration is nonauthoritative and is included for informational purposes only.

Independent Accountant’s Report

To Management of ABC Entity:

Scope

We have examined the accompanying description of ABC Entity’s cybersecurity risk management program titled [insert title of management’s description] as of [date] (description) based on the description criteria noted below. We have also examined the suitability of the design of controls implemented within that program to achieve the entity’s cybersecurity objectives based on the control criteria noted below.

The criteria used to evaluate the description are [name of the description criteria, e.g., AICPA Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program] (description criteria); the criteria used to evaluate the suitability of the design of the controls implemented within the entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives are [name of the control criteria, e.g., the criteria for security, availability, and confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA ...