F-2: Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Ma

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Appendix F-2

Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time

This illustration is nonauthoritative and is included for informational purposes only.

Independent Accountant’s Report

To Management of ABC Entity:

Scope

We have examined the accompanying description of ABC Entity’s cybersecurity risk management program titled [insert title of management’s description] as of [date] (description) based on the description criteria noted below. We have also examined the suitability of the design of controls implemented within that program to achieve the entity’s cybersecurity objectives based on the control criteria noted below.

The criteria used to evaluate the description are [name of the description criteria, e.g., AICPA Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program] (description criteria); the criteria used to evaluate the suitability of the design of the controls implemented within the entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives are [name of the control criteria, e.g., the criteria for security, availability, and confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria) or other suitable criteria] (control criteria).

An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that were not prevented.

Entity’s Responsibilities

ABC Entity’s management is responsible for the following:

• Establishing the entity’s cybersecurity objectives, which are presented on page XX of the description

• Designing, implementing, and operating the cybersecurity risk management program, including the controls within that program, to achieve the entity’s cybersecurity objectives

• Preparing the accompanying description of the entity’s cybersecurity risk management program

• Providing an assertion about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether controls implemented within the cybersecurity risk management program were suitably designed to achieve the entity’s cybersecurity objectives.

When preparing its assertion titled [insert title of management’s assertion], ABC Entity management is responsible for (a) selecting, and identifying in its assertion, the description criteria and the control criteria and (b) having a reasonable basis for its assertion about whether the controls implemented within the entity’s cybersecurity risk management program were suitably designed to achieve the entity’s cybersecurity objectives by performing an assessment of the suitability of the design of those controls based on the control criteria. The description of the entity’s cybersecurity risk management program and management’s assertion accompany this report.

Accountant’s Responsibilities

Our responsibility is to express an opinion, based on our examination, about whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and whether the controls implemented within that program were suitably designed to achieve the entity’s cybersecurity objectives based on the control criteria.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, the description is presented in accordance with the description criteria and whether the controls implemented within the program were suitably designed to achieve the entity’s cybersecurity objectives based on the control criteria.

Our examination included

• obtaining an understanding of the entity’s cybersecurity objectives and its cybersecurity risk management program;

• assessing the risks that the description was not presented in accordance with the description criteria and that the controls implemented within that program were not suitability designed; and

• performing procedures to obtain evidence about whether the description is presented in accordance with the description criteria and whether the controls implemented were suitably designed.

Our examination also included performing such other procedures as we considered necessary in the circumstances.

We did not perform any procedures regarding the operating effectiveness of the controls and, accordingly, we do not express an opinion thereon.

We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Inherent Limitations

There are inherent limitations in the effectiveness of any system of internal control, including the possibility of human error and the circumvention of controls. Because of inherent limitations in its cybersecurity risk management program, an entity may achieve reasonable, but not absolute, assurance that all security events are prevented and, for those that are not prevented, detected on a timely basis.

Examples of inherent limitations in a cybersecurity risk management program include the following:

• Vulnerabilities in information technology components as a result of design by their manufacturer or developer

• Ineffective controls at a vendor or business partner

• Persistent attackers with the resources to use advanced technical means and sophisticated social engineering techniques specifically targeting the entity

Furthermore, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.

Opinion

In our opinion, in all material respects,

• the description of ABC Entity’s cybersecurity risk management program as of [date] is presented in accordance with the description criteria and

• the controls implemented within that program were suitably designed to achieve the entity’s cybersecurity objectives as of [date] based on the control criteria.

[Accountant’s signature]

[Accountant’s city and state]

[Date of the accountant’s report]

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for F-2: Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Ma

Create new playlist

Sign In

Sign Up