Chapter 4

Forming the Opinion and Preparing the Practitioner’s Report

This chapter describes the practitioner’s responsibilities when forming his or her opinion and preparing the report in the cybersecurity risk management examination. This chapter focuses on the required elements of the practitioner’s report and the practitioner’s considerations when determining the type of opinion and other modifications to the report that might be necessary.

Responsibilities of the Practitioner

4.01 In the cybersecurity risk management examination, the practitioner is responsible for directly expressing an opinion, in a written report, on the following matters:

  1. Whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

  2. Whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

4.02 Because there are two distinct but complementary subject matters, the practitioner expresses an opinion on each in his or her report. Therefore, unless otherwise stated, a reference to the practitioner’s report in this chapter includes the practitioner’s responsibility to express an opinion on both the (1) description and (2) effectiveness of controls within the cybersecurity risk management program.

4.03 In some circumstances, management may engage the practitioner to perform an examination on the design of the controls rather than on their effectiveness. In that case, the practitioner reports on whether the (1) description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and (2) controls implemented within that program were suitably designed1 to achieve the entity’s cybersecurity objectives. Paragraph 4.14 discusses how the elements of the practitioner’s report in paragraph 4.12 would be tailored in that situation.

Forming the Practitioner’s Opinion

4.04 When forming his or her opinion, paragraph .59 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), requires the practitioner to evaluate

  1. the practitioner’s conclusion about the sufficiency and appropriateness of evidence obtained during the cybersecurity risk management examination and

  2. whether uncorrected misstatements are material, individually or in the aggregate.

Considering the Sufficiency and Appropriateness of Evidence

4.05 When forming his or her conclusion with respect to the sufficiency and appropriateness of evidence obtained during the examination, the practitioner exercises professional judgment, which is influenced by factors such as the following:

• The significance of a potential description misstatement or deficiency and the likelihood that it will have a material effect, individually or aggregated with other potential description misstatements and deficiencies, on the presentation of the description of the entity’s cybersecurity risk management program or on the effectiveness of controls to achieve the entity’s cybersecurity objectives based on the control criteria

• The effectiveness of management’s responses to address the known risks

• The experience gained during previous consulting or examination engagements with respect to similar potential description mis-statements and deficiencies

• The results of procedures performed, including whether such procedures identified specific description misstatements and deficiencies

• The source and reliability of the available information

• The persuasiveness of the evidence

• The practitioner’s understanding of the entity and its environment

Considering Material Uncorrected Description Misstatements and Deficiencies

4.06 The cybersecurity risk management examination is a cumulative and iterative process. As the practitioner performs planned procedures, evidence obtained may cause the practitioner to alter the nature, timing, or extent of other planned procedures. For example, information such as the following— which differs significantly from the information on which the risk assessment and planned procedures were based—may come to the practitioner’s attention:

• The nature and number of identified description misstatements and deficiencies. (This may change the practitioner’s professional judgment about the reliability of particular sources of information.) For example, the practitioner may discover that management was unaware that detection tools were not implemented over a portion of the entity’s network. In response, the practitioner may determine that additional testing is needed to evaluate the effectiveness of other controls over that portion of the network.

• Identified discrepancies in relevant information or conflicting or missing evidence.

• Procedures performed toward the end of the engagement that indicate a previously unrecognized risk of material misstatement. As an example, assume that, while testing management’s procedures to mitigate security incidents, a practitioner becomes aware of a deficiency in the design of a control that prevents unauthorized access. The practitioner may determine that additional testing is needed to evaluate whether there are other suitably designed controls that operated effectively to mitigate the risk of unauthorized access addressed by the deficient control.

In such circumstances, the practitioner may need to reevaluate the planned procedures.

4.07 The practitioner also evaluates the effect of such uncorrected description misstatements or deficiencies on the engagement and on the opinion. The practitioner may conclude that additional appropriate evidence is required in order to form a conclusion about the description or control effectiveness. In such a case, the practitioner should design and perform additional procedures to obtain sufficient appropriate evidence.

4.08 If the practitioner concludes, based on the evidence obtained, that the description is not presented in accordance with the description criteria or that the controls were not effective to achieve the cybersecurity objectives based on the control criteria, he or she should modify the opinion to express a qualified or adverse opinion. Reporting in a cybersecurity risk management examination when the practitioner decides to modify the opinion is discussed beginning in paragraph 4.16.

Expressing an Opinion on the Subject Matters in the Cybersecurity Risk Management Examination

4.09 As discussed in paragraph 4.01, the practitioner expresses an opinion on two distinct but complementary subject matters in the cybersecurity risk management examination: (1) description of the entity’s cybersecurity risk management program and (2) the effectiveness of controls within the program to achieve the entity’s cybersecurity objectives. Depending on the circumstances, the practitioner’s opinion may be different for each subject matter.

4.10 When the practitioner concludes that an opinion modification on one of the subject matters is appropriate, the practitioner should also consider the effect on the opinion on the other subject matter. Consider the following examples:

• A practitioner expresses a qualified opinion on the effectiveness of the controls because certain controls did not operate consistently throughout the period under examination. The practitioner may conclude that the qualified opinion has no effect on his or her unmodified opinion on whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria. Accordingly, the practitioner would issue an unmodified opinion on the description.

• A practitioner expresses a qualified opinion on the description because management failed to disclose a significant subsequent event. The practitioner may conclude that, because the subsequent event did not affect the effectiveness of controls during the period covered by the examination, a qualification of the opinion on control effectiveness is not necessary.

• A practitioner disclaims an opinion on the description because of a lack of sufficient appropriate evidence about whether key security policies and processes have been implemented during the specific period of time covered by the examination. In this situation, the lack of evidence also leads the practitioner to disclaim an opinion about the effectiveness of controls associated with such key security policies and processes.

4.11 If the practitioner’s report is intended for use by parties within the entity as well as users external to the entity, and the practitioner has decided to express different opinions on each of the subject matters, the practitioner should consider whether it is likely that external users will misunderstand the practitioner’s opinion. If the practitioner believes there is a high risk of misunderstanding, he or she may consider adding an alert restricting the use of the report to board members, management, and others within the entity or to those third parties (specified parties) that are likely to understand it.

Preparing the Practitioner’s Report

Elements of the Practitioner’s Report

4.12 When a practitioner issues an unmodified opinion in the cybersecurity risk management examination, the practitioner’s report should include the following elements:

  1. A title that includes the word independent

  2. An appropriate addressee as required by the circumstances of the engagement (The report would ordinarily be addressed to management of the entity or to those charged with governance, such as board members.)

  3. Identification of the following:

    1. A description of the entity’s cybersecurity risk management program and the effectiveness of controls within that program,2 as well as the specified period of time3 to which they relate

    2. The criteria used to evaluate the description of the entity’s cybersecurity risk management program (description criteria) and the criteria used to evaluate whether controls within that program were effective to achieve the entity’s cybersecurity objectives (control criteria)

  4. A statement that an entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that were not prevented

  5. A statement that identifies management as the responsible party and indicates management’s responsibilities, including matters such as the following:

    1. Establishing the entity’s cybersecurity objectives, which are presented on page XX of the description

    2. Designing, implementing, and operating the cybersecurity risk management program, including the controls within that program, to achieve the entity’s cybersecurity objectives

    3. Preparing the description of the entity’s cybersecurity risk management program

    4. Providing an assertion about whether

      1. the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

      2. the controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives

    5. Selecting, and identifying in its assertion, the description criteria and the control criteria

    6. Having a reasonable basis for its assertion about whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives by performing an assessment of the effectiveness of those controls based on the control criteria

  6. A statement indicating that the practitioner’s responsibility is to express an opinion, based on the examination, about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

  7. A statement indicating that the examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants

  8. A statement indicating that those standards require the practitioner to plan and perform the cybersecurity risk management examination to obtain reasonable assurance about whether, in all material respects,

    1. the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

    2. the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

  9. A statement describing the nature of a cybersecurity risk management examination, using language such as the following, indicating that the examination includes

    1. obtaining an understanding of the entity’s cybersecurity objectives and its cybersecurity risk management program,

    2. assessing the risks that the description is not presented in accordance with the description criteria and that the controls within that program were not effective, and

    3. performing procedures to obtain evidence about whether the description is presented in accordance with the description criteria and whether the controls were effective

  10. A statement asserting that the practitioner’s examination also included performing such other procedures as considered necessary in the circumstances and that the practitioner believes the evidence obtained is sufficient and appropriate to provide a reasonable basis for the opinion

  11. A statement about the inherent limitations of an entity’s cybersecurity risk management program, which may include statements such as the following:

    1. There are inherent limitations in the effectiveness of any system of internal control, including the possibility of human error and the circumvention of controls.

    2. Because of inherent limitations in its cybersecurity risk management program, an entity may achieve reasonable, but not absolute, assurance that all security events are prevented and, for those that are not prevented, detected on a timely basis.

    3. Examples of inherent limitations in a cybersecurity risk management program include

      1. vulnerabilities in information technology components as a result of design by their manufacturer or developer,

      2. ineffective controls at a vendor or business partner, and

      3. persistent attackers with the resources to use advanced technical means and sophisticated social engineering techniques specifically targeting the entity.

    4. Furthermore, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.

  12. The practitioner’s opinion about whether, in all material respects,

    1. the description of the entity’s cybersecurity risk management program throughout the period [date] to [date] is presented in accordance with the description criteria and

    2. the controls within that program were effective throughout the period [date] to [date] to achieve the entity’s cybersecurity objectives based on the control criteria

  13. The manual or printed signature of the practitioner’s firm

  14. The city and state where the practitioner practices

  15. The date of the report

4.13 Appendix F-1 presents an illustrative practitioner’s report with an unmodified opinion. Headings in that illustrative report are optional.

Tailoring the Practitioner’s Report in a Design-Only Examination

4.14 When the practitioner has been engaged to perform a design-only examination, certain of the elements in paragraph 4.12 would be tailored to refer specifically to the matters addressed by the design-only report. For instance, among other things, all references to management’s assertion and the practitioner’s opinion would be revised to refer to the following:

  1. the description throughout the period [date] to [date] is presented in accordance with the description criteria and

  2. the controls within that program were suitably designed throughout the period [date] to [date] to achieve the entity’s cybersecurity objectives based on the control criteria

4.15 Appendix F-2, Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time, presents an illustrative practitioner’s design-only report with an unmodified opinion. Headings in that illustrative report are optional.

Modifications to the Practitioner’s Opinion

4.16 Paragraph .68 of AT-C section 205 requires the practitioner to modify the opinion when either of the following circumstances exists and, in the practitioner’s professional judgment, the effect of the matter is or may be material:

  1. The practitioner is unable to obtain sufficient appropriate evidence to conclude that the subject matter is in accordance with (or based on) the criteria, in all material respects. A limitation on the scope of the engagement ordinarily results in the practitioner either expressing a qualified opinion or disclaiming an opinion, depending on the circumstances that caused it. Scope limitations are discussed beginning in paragraph 4.42 of this guide.

  2. The practitioner concludes that, based on the evidence obtained,

    1. management’s description of the entity’s cybersecurity risk management program is not presented in accordance with the description criteria or

    2. the controls within that program were not effective to achieve the entity’s cybersecurity objectives based on the control criteria.

4.17 When determining whether to modify the practitioner’s opinion, the practitioner should consider the individual and aggregate effect of identified misstatements on the description of the entity’s cybersecurity risk management program or the effect of deficiencies on the effectiveness of the controls to achieve the entity’s cybersecurity objectives throughout the specified period.

4.18 A security incident may have a significant impact on the achievement of an entity’s cybersecurity objectives. For example, if an entity’s controls do not provide reasonable assurance that unauthorized access by an outside party to a critical system is detected in a timely manner, the entity’s ability to protect information in accordance with its cybersecurity objectives is significantly impaired. As a result, when controls are not effective in meeting one or more control criteria, there is a higher likelihood that the effect of the deficiency would be pervasive, causing the practitioner to express an adverse opinion.

4.19 In certain circumstances, a deficiency in controls may relate to only a limited portion of the entity’s information assets. For example, this might be the case if the practitioner identifies a deficiency at one subsidiary that affects the achievement of only one of the entity’s cybersecurity objectives, and that subsidiary’s information systems are isolated from the entity’s other information systems. In such circumstances, the practitioner may conclude that a qualified opinion is appropriate.

4.20 As illustrated in the following table, the practitioner’s professional judgment about the nature of the matter giving rise to the modification and the pervasiveness of its effects (or possible effects) on the description and the effectiveness of controls affects the type of opinion to be issued.

Nature of Matter Giving Rise to the Modification

Practitioner’s Professional Judgment About the Pervasiveness of the Effects or Possible Effects on the Description or on the Effectiveness of Controls

 

Material but Not Pervasive

Material and Pervasive

Scope limitation

• The practitioner is unable to obtain sufficient appropriate evidence.

Qualified opinion

Disclaimer of opinion

Material misstatements

• The description is materially misstated.

Or

• The controls were not effective to achieve the entity’s cybersecurity objectives.

Qualified opinion

Adverse opinion

4.21 If the practitioner believes a modified opinion is appropriate, he or she determines whether to issue a qualified or adverse opinion or whether to disclaim an opinion. When a modified opinion will be issued, paragraph .69 of AT-C section 205 states that the practitioner should include a separate paragraph in the report that provides a description of the matter(s) giving rise to the modification.

Emphasis of Certain Matters

4.22 When the practitioner believes there are certain matters that are particularly relevant for report users to understand the subject matter or the practitioner’s report, the practitioner may include additional paragraphs to emphasize those matters in his or her report. For example, a practitioner might decide to highlight a certain matter in the report when

• the description is appropriately presented but specific circumstances of the entity’s operating environment are, in the practitioner’s professional judgment, of such importance that they are necessary for users’ understanding of the entity’s cybersecurity risk management program and the effectiveness of controls within that program.

• changes to the entity’s controls occurred after the end of the examination period but, in the practitioner’s judgment, could affect the usefulness of the information presented in the report to intended users’ decision making.

4.23 The following is an example of a paragraph emphasizing a situation in which the entity experienced a significant operating disruption after the examination period but before issuance of the practitioner’s report:

As described on page X of the description, subsequent to the period covered by the cybersecurity risk management examination report, ABC Entity’s data center was flooded and rendered inoperable for a period of two weeks by a severe storm that occurred in January, 20XX.

Controls Did Not Operate During the Period Covered by the Report

4.24 In certain circumstances, management’s description of the entity’s cybersecurity risk management program may include key processes that ordinarily operate during the period covered by the examination but did not operate during that period because the circumstances that warrant the operation of those processes and associated controls did not occur. For example, an identified security event involving the unauthorized access of confidential information by an entity employee would not always trigger the operation of all recovery processes and controls (such as restoring systems and data from clean backups and replacing compromised files), particularly if the event did not result in a data loss. In these circumstances,

• management would continue to include the processes in its description.

• management would modify its assertion to identify which key processes did not operate during the period and indicate that they did not operate because the circumstances that warranted the operation of those processes and associated controls did not occur during the period.

• the practitioner would include in the report a paragraph emphasizing that the key processes and associated controls did not operate, including a statement that no tests of those controls were performed.

4.25 The following is an example of an additional paragraph that might be added to the practitioner’s report in this situation:

ABC Entity’s description of its cybersecurity risk management program includes its cybersecurity incident response and recovery plan (CIRP), which discusses the key security policies and processes implemented and operated to respond to and recover from security incidents. To meet control criteria CC7.4, The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate, and CC7.5, The entity identifies, develops, and implements activities to recover from identified security incidents, ABC Entity’s CIRP includes procedures to help understand, contain, monitor, or eradicate a security incident; restore normal business operations in a timely manner with minimal, or no, business interruption or loss of data; and communicate with affected parties. However, during the period [date] through [date], ABC Entity did not experience a security incident that would warrant the operation of the response and recovery processes and controls within its CIRP. Because those controls did not operate during the period, we were unable to test, and did not test, the operating effectiveness of those controls to meet control criteria CC7.4 and CC7.5.

Material Misstatements

4.26 When the practitioner has obtained sufficient appropriate evidence but has identified description misstatements or deficiencies that, individually or in the aggregate, are believed to be material or material and pervasive to the description or control effectiveness, the practitioner should determine whether to issue a qualified opinion or an adverse opinion. Chapter 3, “Performing the Cybersecurity Risk Management Examination,” of this guide discusses materiality considerations related to identified description misstatements or deficiencies that, individually or in the aggregate, are believed to be material or material and pervasive to the description or control effectiveness.

Qualified Opinion

4.27 According to paragraph .70 of AT-C section 205, the practitioner should express a qualified opinion when he or she, after having obtained sufficient appropriate evidence, concludes

• the description misstatements, either individually or in the aggregate, are material but not pervasive or

• deficiencies in the design or operation of controls are material but not pervasive.

4.28 In that case, paragraph .69 of AT-C section 205 states that the practitioner should add a separate paragraph to the practitioner’s report that provides an explanation of the matter(s) giving rise to the modification.

4.29 In addition, the illustrative practitioner’s report in appendix F-1 of this guide would be modified by

• stating in the opinion paragraph that, except for the effects of the matter(s) giving rise to the modification, the description is presented in accordance with the description criteria or the controls were effective to achieve the entity’s cybersecurity objectives based on the control criteria, in all material respects, and

• amending the practitioner’s responsibility paragraph to state that the practitioner believes that the evidence the practitioner has obtained is sufficient and appropriate to provide a basis for the practitioner’s qualified opinion.

Adverse Opinion

4.30 Paragraph .72 of AT-C section 205 states that the practitioner should issue an adverse opinion when he or she concludes that

• the description misstatements, either individually or in the aggregate, are material and pervasive or

• deficiencies in the design or operation of controls are material and pervasive.

4.31 When the practitioner expresses an adverse opinion, the illustrative practitioner’s report in appendix F-1 should be modified by

• including, in a separate paragraph, a clear explanation of the matter(s) giving rise to the modification;

• stating, in the opinion paragraph, that because of the significance of the matter(s) giving rise to the modification, the description is not presented in accordance with the description criteria, or the controls were not effective to achieve the entity’s cybersecurity objectives based on the control criteria, in all material respects, or both; and

• amending the practitioner’s responsibility paragraph to state that the practitioner believes that the evidence the practitioner has obtained is sufficient and appropriate to provide a basis for the practitioner’s adverse opinion.

Separate Paragraphs Because of Material Misstatements in the Description

4.32 If the practitioner has identified misstatements in the description that, individually or in the aggregate, are material, and management is unwilling to amend the description, the practitioner should modify the opinion about whether the description was prepared in accordance with the description criteria.

4.33 Beginning in paragraph 4.34, this guide presents examples of separate paragraphs that might be appropriate when misstatements in the description have caused the practitioner to conclude that the opinion on the description should be modified. Ordinarily, the same paragraphs may be used regardless of whether the practitioner intends to express a qualified or adverse opinion on the description.

Description Includes Information That Is Considered Misleading

4.34 The following is an example of a separate paragraph that might be appropriate when the description of the entity’s cybersecurity risk management program includes information that is considered misleading to report users:

On page XX of the accompanying description, ABC Entity states that changes to software other than those classified as minor are subject to vulnerability scanning prior to implementation. However, during the period [date] to [date] only one out of 15,000 changes were classified as other than minor.

4.35 The following is an example of a separate paragraph that might be appropriate when the description of the entity’s cybersecurity risk management program includes subjective information that is not objectively measurable:

On page XX of the accompanying description, ABC Entity states that its information security function is the industry’s best and is staffed by the most talented IT personnel. Because there are no criteria against which these attributes can be measured, these statements are not measurable and cannot be objectively evaluated within the scope of this examination.

Description Omits Relevant Changes to Controls

4.36 The following is an example of a separate paragraph that might be appropriate when the description does not address relevant changes to the entity’s cybersecurity controls:

The accompanying description on page XX states that the information security group monitors and reviews user access on a monthly basis. However, our procedures indicated that this control was first implemented on July 1, 20XX, three months after the beginning of the period addressed by this report.

Description Omits Information Relevant to One or More Description Criteria

4.37 If management refuses to include information about one or more description criteria in its description, the practitioner ordinarily would express either a qualified or an adverse opinion on the description. Management may refuse to disclose such information, for example, if it believes the disclosures may expose the entity’s information assets to additional cybersecurity risks. The following paragraph might be appropriate if management refuses to disclose information in accordance with description criterion 6 about identified security incidents during the examination period.

The accompanying description of ABC Entity’s cybersecurity risk management program omits information necessary to meet description criterion 6, For security incidents that (1) were identified during the 12-month period preceding the period end date of management’s description and (2) resulted in a significant impairment of the entity’s achievement of its cybersecurity objectives, disclosure of the following: (a) nature of the incident; (b) timing surrounding the incident; and (c) extent (or effect) of those incidents and their disposition. Disclosure of such information is necessary for the description to be presented in accordance with the description criteria.

Separate Paragraphs Because of Material Deficiencies in the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives

4.38 If the practitioner has identified deficiencies in the effectiveness of controls that, individually or in the aggregate, are material, the practitioner should modify the opinion (with either a qualified or adverse opinion) about whether the controls were effective to achieve the entity’s cybersecurity objectives.

4.39 Paragraph 4.41 presents an example of a separate paragraph that might be appropriate when deficiencies in the effectiveness of controls have caused the practitioner to conclude that the opinion on control effectiveness should be modified. Ordinarily, the same paragraph may be used regardless of whether the practitioner intends to express a qualified or adverse opinion on control effectiveness.

Deficiencies in the Design of Controls to Achieve the Entity’s Cybersecurity Objectives

4.40 The following is an example of a separate paragraph that might be appropriate if the practitioner has identified deficiencies in the suitability of the design of controls that affect the entity’s ability to achieve its cybersecurity objectives and, accordingly, affect the opinion on control effectiveness:

The accompanying description of ABC Entity’s cybersecurity risk management program states on page 8 that ABC Entity makes changes to systems only if the changes are authorized, tested, and documented. ABC Entity’s procedures, however, do not include a requirement to approve changes before placing the changes into operation. As a result, controls were not suitably designed to meet criterion CC8.1, The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Deficiencies in the Effectiveness of Controls During a Portion of the Period

4.41 If the practitioner has identified deficiencies in the effectiveness of controls but the factors that led to the deficiencies are corrected by management during the period under examination, the practitioner should modify the opinion and provide an explanation of the matter(s) giving rise to the modification and the period of time for which those matters existed. The following is an example of such a separate paragraph:

The accompanying description of ABC Entity’s cybersecurity risk management program states on page 8 that ABC Entity makes changes to systems only if the changes are authorized, tested, and documented. However, during the period January 1, 20XX, to March 31, 20XX, ABC Entity’s procedures did not include a requirement to approve changes before placing the changes into operation. On April 1, 20XX, ABC Entity implemented a procedure requiring that all changes be approved by the director of application development before being placed into operation. As a result, during the period January 1, 20XX, to March 31, 20XX, controls were not suitably designed to meet criterion CC8.1, The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Scope Limitation

4.42 As previously mentioned, a practitioner may express an unmodified opinion only when he or she has conducted the engagement in accordance with the attestation standards. If the practitioner has been unable to apply all the procedures considered necessary in the circumstances, the practitioner would not have complied with the attestation standards.

4.43 According to paragraph .A107 of AT-C section 205, a scope limitation may arise from any of the following:

  1. Circumstances beyond the control of management. For example, documents that the practitioner considers necessary to inspect were in the custody of a vendor whose services are no longer in use and the documents no longer exist.

  2. Circumstances relating to the nature or timing of the practitioner’s work. For example, a physical process that the practitioner considers necessary to observe may have occurred before the practitioner’s engagement or may not be performed regularly during the examination period. (However, an inability to perform a specific procedure does not constitute a scope limitation if the practitioner is able to obtain sufficient appropriate evidence by performing alternative procedures.)

  3. Limitations imposed by management (or the engaging party, if different). For example, management may have imposed a limitation that prevents the practitioner from performing a procedure that the practitioner considers necessary in the circumstances. Limitations of this kind may have other implications for the engagement, such as for the practitioner’s consideration of risks of material misstatement and for engagement acceptance and continuance.

4.44 When there is a scope limitation, the practitioner should determine the pervasiveness of the effects or possible effects on the description of the entity’s cybersecurity risk management program and on control effectiveness. According to paragraph .70 of AT-C section 205, the practitioner should express a qualified opinion when the practitioner is unable to obtain sufficient appropriate evidence on which to base the opinion and the practitioner has concluded that the possible effects on the subject matter of undetected description mis-statements or deficiencies, if any, could be material but not pervasive to the subject matter. Paragraph .74 of AT-C section 205 indicates that the practitioner should disclaim an opinion when the practitioner is unable to obtain sufficient appropriate evidence on which to base the opinion and the practitioner concludes that the possible effects on the subject matter of undetected description misstatements or deficiencies, if any, could be both material and pervasive.

Qualified Opinion

4.45 When expressing a qualified opinion, the illustrative practitioner’s reports in appendix F-1 would be modified by

• including, in a separate paragraph before the opinion paragraph, a clear explanation of the matter(s) giving rise to the modification;

• stating, in the opinion paragraph, that except for the possible effects of the matter(s) giving rise to the modification, the description is presented in accordance with the description criteria and the controls were effective to achieve the entity’s cybersecurity objectives based on the control criteria, in all material respects; and

• amending the practitioner’s responsibility paragraph to state that the practitioner believes that the evidence the practitioner has obtained is sufficient and appropriate to provide a basis for the practitioner’s qualified opinion.

4.46 If the practitioner expresses a qualified opinion because of a scope limitation, and also concludes there were material misstatements in the description or material deficiencies in the effectiveness of the controls to achieve the cybersecurity objectives, paragraph .78 of AT-C section 205 requires the practitioner to include, in the practitioner’s report, a clear explanation of both the scope limitation and the matter(s) that cause the description or the effectiveness of controls to be materially misstated.

Separate Paragraph When a Scope Limitation Results in a Qualified Opinion

4.47 The following is an example of a separate paragraph that might be appropriate when the practitioner is unable to obtain sufficient appropriate evidence about whether controls were effective to achieve the entity’s cybersecurity objectives based on the control criteria and the practitioner has decided to issue a qualified opinion.

Page XX of the accompanying description of ABC Entity’s cybersecurity risk management program states that a service provider researches and classifies events logged by the intrusion detection software for follow-up by ABC Entity personnel. On July 15, 20X0, ABC Entity replaced its existing service provider (original service provider) with a new service provider. However, all records of the research performed by the original service provider were destroyed by that organization upon termination of the service agreement. As a result, we were unable to inspect evidence that independent research was performed on events logged by the intrusion protection systems for the period January 1, 20X0, to July 15, 20X0. As a result, we were unable to determine whether controls were effective during the period January 1 to July 14, 20X0, to achieve the entity’s cybersecurity objectives based on criterion CC6.1, The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

Disclaimer of Opinion

4.48 When the practitioner decides to disclaim an opinion, paragraph .77 of AT-C section 205 provides guidance about modifications to the description of the practitioner’s responsibility and the description of the examination in the practitioner’s report. In addition to adding a separate paragraph to the practitioner’s report, the practitioner’s report should state that,

  1. because of the significance of the matter(s) giving rise to the modification, the practitioner has not been able to obtain sufficient appropriate evidence to provide a basis for an examination opinion, and

  2. accordingly, the practitioner does not express an opinion on the subject matter.

Restricting the Use of the Practitioner’s Report

Restricting Use When Required by Professional Standards

4.49 In certain circumstances, a practitioner is required to include in his or her report an alert paragraph that restricts the use of the report to certain parties. Such an alert is designed to avoid misunderstandings related to the use of the report, particularly if the report is taken out of the context in which the report is intended to be used.

4.50 In the following circumstances, paragraph .64 of AT-C section 205 states that the practitioner’s report should include an alert, in a separate paragraph, that restricts the use of the report:

  1. The practitioner determines that the criteria used to evaluate the subject matter are appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria.

  2. The criteria used to evaluate the subject matter are available only to specified parties.

4.51 If an alert paragraph is required, paragraph .65 of AT-C section 205 states that the alert should

  1. state that the practitioner’s report is intended solely for the information and use of the specified parties;

  2. identify the specified parties for whom use is intended; and

  3. state that the practitioner’s report is not intended to be and should not be used by anyone other than the specified parties.

4.52 The practitioner may identify the specified parties in his or her report by naming them, referring to a list of those parties, or identifying the class of parties, for example, “prospective buyers of XYZ Company’s pharmaceutical division.”

4.53 The following is an example of an alert paragraph that may be added to the practitioner’s report to restrict the use of the report to specified parties:

This report is intended solely for the information and use of [identify the specified parties] and is not intended to be and should not be used by anyone other than the specified parties.

Restricting Use in Other Situations

4.54 Although the practitioner is required to include an alert paragraph restricting the use of the practitioner’s report when the circumstances discussed beginning in paragraph 4.49 exist, paragraph .A94 of AT-C section 205 clarifies that the practitioner is never precluded from restricting the use of his or her report. As discussed throughout this guide, there are circumstances in which the practitioner may choose to restrict the use of the report, even though standards do not require it. In some circumstances, the practitioner may determine that certain types of individuals are likely to misunderstand the report and may experience adverse consequences from their decisions that result from the use of the information contained in the cybersecurity risk management examination report. As a result, the practitioner may decide to restrict the use of the report to persons who are unlikely to misunderstand it. Consider the following examples:

• When only a portion of an entity’s cybersecurity risk management program is the subject matter of the engagement, the practitioner may become aware of information that causes him or her to believe management has limited the subject matter because of its belief that an examination of the entire entity’s cybersecurity risk management program would result in a modified opinion. In that situation, the practitioner should consider whether

— an opinion on only a portion of an entity’s cybersecurity risk management program is likely to meet the information needs of report users and

— the resulting cybersecurity risk management examination report is subject to the risk of misunderstanding by all but a limited number of report users.

• The practitioner’s concerns may lead him or her to decide to restrict the use of the practitioner’s report to those limited users.

• If the practitioner expects to express a different opinion on the description than on the effectiveness of controls, the practitioner may consider whether report users are likely to misunderstand the two opinions and why they are different. If the practitioner believes the risk of misunderstanding is high, the practitioner may conclude that it is appropriate to restrict the use of the practitioner’s report to board members, management, and others within the entity.

• In an initial cybersecurity risk management examination, the practitioner may conclude that potential report users external to the entity, if any, may misunderstand the nature of the engagement, the practitioner’s procedures, the inherent limitations of the engagement, or other elements of the engagement. These concerns may lead the practitioner to conclude that an alert to restrict the use of the report to board members, management, and others within the entity is appropriate.

4.55 If the practitioner decides to restrict the use of the report to specified parties, he or she should add a paragraph as described beginning in paragraph 4.51 of this guide.

Distribution of the Report

4.56 When engaged by management, the practitioner provides the report to management and those charged with governance; management distributes the report to intended users.

4.57 In most cases, the practitioner is engaged by management to perform the cybersecurity risk management examination. However, in some cases, the practitioner may be engaged by others. A practitioner ordinarily distributes his or her report only to the party that engaged the practitioner.

4.58 Paragraph .A100 of AT-C section 205 indicates that a practitioner may consider informing the responsible party and, if different, the engaging party or other specified parties that the report is not intended for distribution to parties other than those specified in the report. The practitioner may, in connection with establishing the terms of the engagement, reach an understanding with the responsible party or, if different, the engaging party that the intended use of the report will be restricted and may obtain the responsible party’s agreement that the responsible party and specified parties will not distribute the report to parties other than those identified therein. A practitioner is not responsible for controlling, and cannot control, distribution of the report after its release.

Reporting When Using the Work of an Other Practitioner

4.59 If the practitioner assumes responsibility for the work of an other practitioner, the practitioner should not refer to the other practitioner in his or her report.

Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination

4.60 As discussed in chapter 2, “Accepting and Planning a Cybersecurity Risk Management Examination,” the practitioner has sole responsibility for the opinion expressed in the cybersecurity risk management examination; that responsibility is not reduced by the use of the work of a specialist. For this reason, as discussed in paragraph .67 of AT-C section 205, the practitioner should not refer to the work of a practitioner’s specialist when the practitioner is expressing an unmodified opinion in the cybersecurity risk management examination. However, when the practitioner is expressing a modified opinion, paragraph .81 of AT-C section 205 permits the practitioner to make reference to the work of the specialist, when such reference is relevant to users’ understanding of the modification to the practitioner’s opinion. If the practitioner decides to make reference to the specialist in the report, the practitioner should indicate that such reference does not reduce the practitioner’s responsibility for that opinion.

Report Date

4.61 The practitioner dates his or her report no earlier than the date on which the practitioner has obtained sufficient appropriate evidence to support his or her opinion. According to paragraph .63 of AT-C section 205, that includes evidence that

• the examination documentation has been reviewed;

• the description of the entity’s cybersecurity risk management program and management’s assertion have been prepared; and

• management has provided a written assertion.

Other Information

4.62 When the practitioner is willing to permit the cybersecurity risk management examination report to be included in a document that contains other information or permit other information to be attached to the cybersecurity risk management examination report, that other information is not covered by the practitioner’s report. Paragraph .57 of AT-C section 205 requires the practitioner to read the other information to identify material inconsistencies between the other information and the description of the entity’s cybersecurity risk management program, management’s assertion, or the practitioner’s report or material misstatements of facts between the other information and information in the cybersecurity risk management examination report. If the practitioner identifies a material inconsistency or becomes aware of a material misstatement of fact in the other information, the description of the entity’s cybersecurity risk management program or the effectiveness of controls within that program, management’s assertion, or the practitioner’s report, the practitioner should discuss the matter with management of the entity.

4.63 If management refuses to correct or delete the other information containing a material inconsistency or a material misstatement of fact, paragraph .A67 of AT-C section 205 identifies the following examples of further actions the practitioner may take:

• Requesting the appropriate party or parties consult with a qualified third party, such as the appropriate party’s legal counsel

• Obtaining legal advice about the consequences of different courses of action

• If required or permissible, communicating with third parties (for example, a regulator)

• Describing the material inconsistency in the practitioner’s report

• Withdrawing from the engagement, when withdrawal is possible under applicable laws and regulations

4.64 If other information accompanies the description, or if the description of the entity’s cybersecurity risk management program and the practitioner’s report is included in a document containing other information, the other information should be differentiated from the information covered by the practitioner’s report.

4.65 Because of the nature of the other information or its presentation, the practitioner may decide to add a separate other-matter paragraph to the practitioner’s report, indicating that the other information is not covered by that report.

Images

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset