The AICPA is working on a new type of engagement which will give auditors a framework for providing organizations with an evaluation of their cybersecurity risk management, and is expected to release an exposure draft next week.
The examination was first made public in chapter of a publication by the Internet Security Alliance’s (ISA) entitled Social Contract 3.0: Implementing a Market-Based Model for Cybersecurity. The particular chapter referring to the AICPA’s cybersecurity examination was written by the Center of Audit Quality (CAQ), called A new model for cybersecurity and auditing
In its chapter the CAQ called for enhanced consistency in providing a common language for management and boards to use, when developing an enterprise-wide risk management. The CAQ noted that at the moment they are a vast number of players and a myriad of approaches in this space.
“Many of the action being taken today are often reactive, piecemeal, or represent a ‘drill-down’ on specific identified items within a broader risk profile,” the CAQ wrote. “A comprehensive approach that is risk based and driven from the internal control structure of the company and that can be delivered with independence and objectivity offers a new approach for management and boards to bring to bear on cybersecurity risk.”
As such the CAQ revealed that the AICPA has begun to develop a new process to audit internal controls related specifically to cybersecurity risk management.
“This cybersecurity examination would be separate and apart from the existing financial statement audit process. It could be performed by the external auditor or another audit firm,” the CAQ wrote. “The existing financial statement audit process and related internal control assessment do not extend to those controls specifically related to the cybersecurity procedures and controls of a company unless they impact the financial statement.”
The objective of such a cybersecurity report according to the CAQ would be to provide the user with:
- A description of the entity’s cybersecurity risk management program
- Management’s assertion about whether that description is fairly presented and whether the controls are suitably designed and operating effectively
- The practitioner opinion on fair presentation of the description and on the suitability of design and operating effectiveness of controls.
This examination would be entirely on a voluntary basis and International Accounting Bulletin understands that the AICPA will release an exposure draft on Monday (19 September 2016).
Deloitte Advisory partner Sandy Herrygers told International Accounting Bulletin that Deloitte has been part of the working group of the AICPA focusing on the project.
“We believe the AICPA’s expected Cybersecurity Examination will help improve the transparency regarding the cybersecurity risk management posture of entities by providing an independent auditors report that could be used by multiple constituents,” she said.
Asked whether having an additional report on top of the auditor report wasn’t going against the trend of having shorter and more readable audit reports, Herrygers said: “The AICPA’s expected Cybersecurity Examination is not related to an external audit of the financial statements or internal control over financial reporting. It is a completely separate report on an entity’s cybersecurity risk management program.”
In an external audit of the financial statements and internal control over financial reporting, the purpose is to express an opinion on the financial statements and the effectiveness of internal control over financial reporting, she continued. “The purpose of the AICPA’s expected Cybersecurity Examination is to express an opinion on management’s description of their cybersecurity risk management program and controls. Cybersecurity risk and controls are a broader business issue that can affect all aspects of an entity’s operations, well beyond financial reporting. As such, these are two different audit reports with two completely different objectives, procedures, and opinions.”