A client organization discovers that it has been victimized by a security breach. Its technology specialists aren’t certain who is responsible for the breach, what systems have been compromised, and what data has been stolen. In fact, they aren’t even sure how many times its systems have been breached, and whether the vulnerabilities have been satisfactorily addressed.
Faced with such daunting circumstances, the Board of Directors of the client organization asks its public accounting firm to conduct a risk management examination and report its findings. But what can the accounting firm reasonably accomplish? And how should it structure its engagement with the client organization?
If this situation has captured your attention, you should undoubtedly attend the plenary panel discussion on cybersecurity at our upcoming midyear meeting. Professor Efrim Boritz of the University of Waterloo, a member of the AICPA Trust Information Integrity Task Force, will moderate a session entitled “Cybersecurity Risk Management Program Examination Engagements.”
The panelists will include:
(1) Chris Halterman, Executive Director, EY, and Chair, AICPA Trust Information Integrity Task Force.
(2) Amy Pawlicki, Director, Business Reporting, Assurance and Advisory Services, American Institute of CPAs.
(3) Paul Steinbart, Professor of Information Systems, W. P. Carey School of Business, Arizona State University.
We are all aware that cybercrime is quickly becoming one of the most significant economic issues affecting businesses, public sector organizations, and individuals around the world. Security breaches that involve the theft of confidential information often lead to financial losses, reputation damage, diminished stakeholder confidence, lost opportunities, and potential regulatory penalties.
Thus, the cybersecurity challenge is now drawing an immense amount of attention from the business, legislative, and regulatory communities. Accordingly, cybersecurity governance, internal control, management reporting, and assurance activities have become critical agenda items for academics and practitioners.
The CPA profession has long provided assurance and advisory services in regards to external reporting activities such as annual financial statements, regulatory compliance assessments, and information technology system controls reviews. Accordingly, the AICPA has collaborated with the Center for Audit Quality to define an external reporting engagement on an entity’s cybersecurity risk management program.
The AICPA’s resulting proposal includes:
(1) A management-prepared narrative description of the entity’s cybersecurity risk management program.
(2) Management’s assertion that the description is presented in accordance with the description criteria, and that the controls within the program are effective to achieve the entity’s cybersecurity objectives, based on the control criteria.
(3) An opinion on whether the description is presented in accordance with the description criteria (i.e. its completeness and accuracy), and whether the controls within that program are effective to achieve the entity’s cybersecurity objectives, based on the control criteria.
Our midyear meeting panelists will engage in a discussion that addresses the following topics:
(1) The rationale and demand for a cybersecurity risk management program examination engagement.
(2) The standards and frameworks that are applicable to cybersecurity examination engagements.
(3) The key elements of a cybersecurity risk management program examination engagement, as envisioned by the AICPA working group on cybersecurity.
(4) The staffing and competency requirements for conducting cybersecurity engagements, as well as related curriculum implications.
(5) Research opportunities for addressing reporting and assurance issues that are related to cybersecurity risk management program examination engagements.
For more information, you are welcome to review the AICPA’s extensive online content regarding its cybersecurity initiative. And for even more helpful information, we strongly encourage you to join us at the cybersecurity panel discussion at our midyear meeting.