Appendix F-1

Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination

This illustration is nonauthoritative and is included for informational purposes only.

Independent Accountant’s Report

To Management of ABC Entity:

Scope

We have examined the accompanying description of ABC Entity’s cybersecurity risk management program titled [insert title of management’s description] throughout the period [date] to [date] (description) based on the description criteria noted below. We have also examined the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria noted below.

The criteria used to prepare the description are [name of the description criteria, e.g., AICPA Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program] (description criteria); the criteria used to evaluate whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives are [name of the control criteria, e.g., the criteria for security, availability, and confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria) or other suitable criteria] (control criteria).

An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that were not prevented.

Entity’s Responsibilities

ABC Entity’s management is responsible for the following:

• Establishing the entity’s cybersecurity objectives, which are presented on page XX of the description

• Designing, implementing, and operating the cybersecurity risk management program, including the controls within that program, to achieve the entity’s cybersecurity objectives

• Preparing the accompanying description of the entity’s cybersecurity risk management program

• Providing an assertion about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives

When preparing its assertion titled [insert title of management’s assertion], ABC Entity management is responsible for (a) selecting, and identifying in its assertion, the description criteria and the control criteria and (b) having a reasonable basis for its assertion about whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives by performing an assessment of the effectiveness of those controls based on the control criteria. The description of the entity’s cybersecurity risk management program and management’s assertion accompany this report.

Accountant’s Responsibilities

Our responsibility is to express an opinion, based on our examination, about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, the description is presented in accordance with the description criteria and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Our examination included

• obtaining an understanding of the entity’s cybersecurity objectives and its cybersecurity risk management program;

• assessing the risks that the description was not presented in accordance with the description criteria and that the controls within that program were not effective; and

• performing procedures to obtain evidence about whether the description is presented in accordance with the description criteria and whether the controls were effective.

Our examination also included performing such other procedures as we considered necessary in the circumstances. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Inherent Limitations

There are inherent limitations in the effectiveness of any system of internal control, including the possibility of human error and the circumvention of controls. Because of inherent limitations in its cybersecurity risk management program, an entity may achieve reasonable, but not absolute, assurance that all security events are prevented and, for those that are not prevented, detected on a timely basis.

Examples of inherent limitations in a cybersecurity risk management program include the following:

• Vulnerabilities in information technology components as a result of design by their manufacturer or developer

• Ineffective controls at a vendor or business partner

• Persistent attackers with the resources to use advanced technical means and sophisticated social engineering techniques specifically targeting the entity

Furthermore, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.

Opinion

In our opinion, in all material respects,

• the description of ABC Entity’s cybersecurity risk management program throughout the period [date] to [date] is presented in accordance with the description criteria and

• the controls within that program were effective throughout the period [date] to [date] to achieve the entity’s cybersecurity objectives based on the control criteria.

[Accountant’s signature]

[Accountant’s city and state]

[Date of the accountant’s report]