Title Details

Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting professional nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups, and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession's technical and ethical standards.
The AICPA's founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public trust.

1 Introduction and Background .01-.59

Introduction .01-.02

Potential Users of Cybersecurity Information and Their Interests .03-.07

Cybersecurity Risk Management Examination .08-.14

Difference Between Cybersecurity and Information Security .15-.17

Description of the Entity’s Cybersecurity Risk Management Program .18-.26

The Entity’s Cybersecurity Objectives .22-.26

Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program .27-.29

Overview of the Cybersecurity Risk Management Examination .30-.44

Other Information About the Cybersecurity Risk Management Examination .36

Time Frame of Examination .37

Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements .38

Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management Program .39-.41

Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination) .42-.44

Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy .45-.50

SOC 2 Engagements .46-.48

Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement .49

Engagements Under the AICPA Consulting Standards .50

Professional Standards .51-.56

Attestation Standards .52-.55

Code of Professional Conduct .56

Quality in the Cybersecurity Risk Management Examination .57-.59

2 Accepting and Planning a Cybersecurity Risk Management Examination .01-.145

Introduction .01-.02

Understanding Management’s Responsibilities .03-.07

Practitioner’s Responsibilities .08

Accepting or Continuing an Engagement .09-.14

Preconditions of a Cybersecurity Risk Management Examination .10-.14

Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Examination .15-.41

Determining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program .17-.23

Determining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity’s Cybersecurity Risk Management Program (Design-Only Examination) .24-.27

Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion .28-.36

Consideration of Third Parties .37-.41

Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives .42-.61

Description Criteria .45-.47

Control Criteria .48-.54

Assessing the Suitability of the Entity’s Cybersecurity Objectives .55-.61

Requesting a Written Assertion and Representations From Management .62-.65

Considering Practitioner Independence .66-.69

Considering the Competence of Engagement Team Members .70-.73

Establishing the Terms of the Engagement .74-.85

Accepting a Change in the Terms of the Engagement .81-.85

Establishing an Overall Examination Strategy and Planning the Examination .86-.99

Considering Materiality During Planning .94-.99

Performing Risk Assessment Procedures .100-.110

Obtaining an Understanding of the Entity’s Cybersecurity Risk Management Program and Controls Within That Program 1.00-.103

Assessing the Risk of Material Misstatement .104-.110

Understanding the Internal Audit Function .111-.115

Planning to Use the Work of Internal Auditors .116-.131

Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors .118-.123

Deterining the Extent to Which to Use the Work of Internal Auditors .124-.125

Coordinating Procedures With the Internal Auditors .126-.130

Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ Purposes .131

Planning to Use the Work of an Other Practitioner .132-.138

Planning to Use the Work of a Practitioner’s Specialist .139-.145

3 Performing the Cybersecurity Risk Management Examination .01-.156

Responding to Assessed Risks and Obtaining Evidence .01-.13

Considering Materiality in Responding to the Assessed Risks and Planning Procedures .04-.08

Designing Overall Responses to the Risk Assessment .09-.13

Obtaining Evidence About Whether the Description of the Entity’s Cybersecurity Risk Management Program Is Presented in Accordance With the Description Criteria .14-.37

Materiality Considerations When Evaluating Whether the Description is Presented in Accordance With the Description Criteria .19-.21

Considering Whether the Description is Misstated or Otherwise Misleading .22-.26

Evaluating the Description When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program .27-.28

Procedures to Obtain Evidence About the Description .29-.33

Considering the Suitability of the Entity’s Cybersecurity Objectives .34-.37

Materiality Considerations When Evaluating the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives .38-.42

Obtaining and Evaluating Evidence About the Suitability of the Design of Controls to Achieve the Entity’s Cybersecurity Objectives .43-.56

Identifying and Evaluating Deficiencies in the Suitability of Control Design .55-.56

Obtaining Evidence About the Operating Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives .57-.92

Designing and Performing Procedures to Evaluate the Operating Effectiveness of Controls .60-.62

Nature of Procedures to Evaluate the Effectiveness of Controls .63-.69

Evaluating the Reliability of Information Produced by the Entity .70-.78

Timing of Procedures .79-.82

Extent of Procedures .83-.89

Selecting Items to Be Tested .90-.91

Testing Changes to Controls .92

Risk Mitigation and Control Considerations Related to Third Parties .93-.98

Controls Did Not Need to Operate During the Period Covered by the Practitioner’s Report .99

Revising the Risk Assessment .100

Using the Work of Internal Auditors .101-.113

Using the Work of a Practitioner’s Specialist .114-.116

Evaluating the Results of Procedures .117-.123

Responding to and Communicating Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .124-.130

Known or Suspected Fraud or Noncompliance With Laws or Regulations .124-.126

Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .127-.130

Obtaining Written Representations From Management .131-.146

Requested Written Representations Not Provided or Not Reliable .136-.138

Subsequent Events and Subsequently Discovered Facts .139-.145

Subsequent Events Unlikely to Have an Effect on the Practitioner’s Opinion .146

Documentation .147-.151

Management’s Responsibilities at or Near Engagement Completion .152-.156

Modifying Management’s Assertion .153-.156

4 Forming the Opinion and Preparing the Practitioner’s Report .01-.65

Responsibilities of the Practitioner .01-.03

Forming the Practitioner’s Opinion .04-.11

Considering the Sufficiency and Appropriateness of Evidence .05

Considering Material Uncorrected Description Misstatements and Deficiencies .06-.08

Expressing an Opinion on the Subject Matters in the Cybersecurity Risk Management Examination .09-.11

Preparing the Practitioner’s Report .12-.15

Elements of the Practitioner’s Report .12-.13

Tailoring the Practitioner’s Report in a Design-Only Examination .14-.15

Modifications to the Practitioner’s Opinion .16-.25

Emphasis of Certain Matters .22-.23

Controls Did Not Operate During the Period Covered by the Report .24-.25

Material Misstatements .26-.41

Qualified Opinion .27-.29

Adverse Opinion .30-.31

Separate Paragraphs Because of Material Misstatements in the Description .32-.37

Separate Paragraphs Because of Material Deficiencies in the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives .38-.41

Scope Limitation .42-.48

Qualified Opinion .45-.47

Disclaimer of Opinion .48

Restricting the Use of the Practitioner’s Report .49-.55

Restricting Use When Required by Professional Standards .49-.53

Restricting Use in Other Situations .54-.55

Distribution of the Report .56-.58

Reporting When Using the Work of an Other Practitioner .59

Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination60 Report Date .61

Other Information .62-.65

Appendix

A Information for Entity Management

B Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports

C Description Criteria for Use in the Cybersecurity Risk Management Examination

D Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination

E Illustrative Management Assertion in the Cybersecurity Risk Management Examination

F-1 Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination

F-2 Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time

G Illustrative Cybersecurity Risk Management Report

H Definitions

I Overview of Statements on Quality Control Standards

Index of Pronouncements and Other Technical Guidance

Subject Index