Get Ready for Examinations of Cybersecurity Risk Management Programs

When it comes to risk management, the risk of cyber-attacks on customer information is a challenge affecting businesses of all sizes today, and more and more companies rely heavily on technology to help. However, even the most robust cybersecurity risk management program can still be vulnerable to a material cybersecurity breach. For CPAs, this challenge creates an opportunity to meet an important market demand. A firm can help their customers evaluate the effectiveness of their cybersecurity risk management programs with a cybersecurity risk management examination that is in line with the AICPA’s Guide to Reporting on an Entity’s Cybersecurity Risk Management Program and Controls.

AICPA Guide: Reporting on an Entity’s Cybersecurity Risk Management Program and Controls

With this in mind, the AICPA released its’ Cybersecurity Risk Management Framework to help companies meet cybersecurity challenges, and to provide a framework for CPAs to examine and report on a company’s cybersecurity risk management program. The AICPA’s framework includes three resources:

  1. Description criteria for use by management in explaining its cybersecurity risk management program in a consistent manner and for use by CPA’s to report on management’s description.
  2. Control criteria for use by CPA’s providing advisory or attestation services to evaluate and report on the effectiveness of the controls within a client’s program.
  3. Attest guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which will be used to assist CPA’s engaged to examine and report on an entity’s cybersecurity risk management program.

Help from Knowledge-Based Nontraditional Engagements Examinations

CCH® ProSystem fx® Knowledge Coach is proud to incorporate the AICPA guidelines regarding the Cybersecurity Risk Management Program within the Knowledge-Based Nontraditional Engagements Examination Title. The 2018 version of the Knowledge-Based Nontraditional Engagements Title will be available in April 2018. There are multiple new documents that are specifically related to an examination of an entity’s Cybersecurity Risk Management Program including:

  • ATT-116 Overall Attestation Program: Examination Level Engagement on Cyber Security Risk Management Program
  • ATT-412 Evaluation of Management’s Description of the Entity’s Cybersecurity Risk Management Program
  • KBA-504 Basis for Inherent Risk Assessment: Cyber Security
  • AID-914 Report Preparation Checklist: Review-Level Attestation Engagement on a Cybersecurity Risk Management Program
  • COR-208 Engagement Letter: Examination Engagement on Cybersecurity Risk Management Program
  • COR-915 Representation Letter: Examination-Level Engagement on a Cybersecurity Risk Management Program
  • RPT-1030 Examination Engagement: Unmodified Opinion on an Entity’s Cybersecurity Risk Management Program
  • RPT-1031 Examination Engagement: Unmodified Opinion on an Entity’s Cybersecurity Risk Management Program that Addresses only the Suitability of the Design of Controls Implemented within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time
  • RPT-1032 Examination Engagement: Modified Opinion on an Entity’s Cybersecurity Risk Management Program (Description)
  • RPT-1033 Examination Engagement: Modified Opinion on an Entity’s Cybersecurity Risk Management Program (Deficiencies in Controls)
  • RPT-1034 Examination Engagement: Qualified Opinion on an Entity’s Cybersecurity Risk Management Program (Scope Limitation)
  • RES-020 Examination-Level Engagement on Cybersecurity Risk Management Program: Illustrative Program Description
  • RES-021 Examination-Level Engagement on Cybersecurity Risk Management Program: Illustrative Management Assertion
  • RES-022 Trust Services Criteria

How to get access

Whether you have access to the Knowledge-Based Nontraditional Engagements Examination Title depends on two things. First, are you a current Knowledge Coach customer? And then if you are a current customer, do you have a current license for this title?

For a current Knowledge Coach customer: If you already have the Knowledge-Based Nontraditional Engagements license, then you just need to download the 2018 edition from the Knowledge Coach Updates section of the Engagement Support Website and follow the instructions in the Release Notes. If you need the Knowledge-Based Nontraditional Engagements license, please refer to the following links:

For a firm that is not a current Knowledge Coach customer, learn more:

AUTHOR

Kurt Pitts

Kurt Pitts is a Senior Business Analyst at Wolters Kluwer Tax and Accounting North America. Kurt participates in design and development of CCH® ProSystem fx® Knowledge Coach. Kurt also works with internal teams, editorial and customers to provide new features and industry titles for CCH® ProSystem fx® Knowledge Coach. Prior to joining Wolters Kluwer in 2014, Kurt was a CPA with a top Southeast Regional Accounting Firm and has a Bachelor’s Degree in Accounting from Georgia Southwestern State University.

All stories by: Kurt Pitts