With attest tool to come, AICPA issues cyber reporting framework

The accounting profession is getting some new tools to deploy in their growing involvement with addressing cyber-risk.

The American Institute of Certified Public Accountants has finalized and issued for use a cyber-security risk management reporting framework that is meant to help companies articulate what they are doing to address cyber-risk. The focus of the framework is not to provide methods or controls for how to assess cyber-security risk management. Rather, the new AICPA framework is geared toward helping auditors, both internal and external, follow a common language and approach for reporting on cyber-risk to stakeholders who want and need some comfort around what the company is doing.

Public companies already have plenty of cyber-security risk management frameworks available to them, such as COBIT, NIST, ISO and others, says Amy Pawlicki, vice president of assurance and advisory innovation at the AICPA. “This is something that allows companies to report how they are managing cyber-risk in a consistent and meaningful way, and to do it in a way that’s strategic and objectives-based,” says Pawlicki.

In support of the new framework, the AICPA also developed and released description criteria that help management and accountants explain and report on a given cyber-security risk management program consistently, as well as control criteria to be used by an accountant in an advisory or attest engagement to evaluate and report o the effectiveness of controls within the program.

The look and feel should be somewhat familiar to accountants and auditors who are familiar with COSO’s Internal Control — Integrated Framework. “It’s based on the principles in the COSO internal control framework, so they give companies a common language for describing how they are managing cyber-risk,” says Pawlicki. 

Still on deck, the AICPA plans to release in May the attest guide that goes with the rest of the materials, to help accountants who are engaged to examine and report on a company’s cyber-security risk readiness. The voluntary attest service will enable auditors to help companies examine their cyber-readiness and determine where they may have weaknesses to address.

When finalized, that final piece of the cyber-package will facilitate a consistent process for companies to explain to any number of stakeholder groups how they are managing and addressing cyber-risk, the AICPA says. Once it catches on, the AICPA envisions it will boost stakeholder confidence in a given company’s due diligence and care in managing cyber-risk.