TABLE OF CONTENTS
Potential Users of Cybersecurity Information and Their Interests
Cybersecurity Risk Management Examination
Difference Between Cybersecurity and Information Security
Description of the Entity’s Cybersecurity Risk Management Program
The Entity’s Cybersecurity Objectives
Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program
Overview of the Cybersecurity Risk Management Examination
Other Information About the Cybersecurity Risk Management Examination
Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement
Engagements Under the AICPA Consulting Standards
Quality in the Cybersecurity Risk Management Examination
2 Accepting and Planning a Cybersecurity Risk Management Examination
Understanding Management’s Responsibilities
Practitioner’s Responsibilities
Accepting or Continuing an Engagement
Preconditions of a Cybersecurity Risk Management Examination
Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion
Consideration of Third Parties
Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives
Assessing the Suitability of the Entity’s Cybersecurity Objectives
Requesting a Written Assertion and Representations From Management
Considering Practitioner Independence
Considering the Competence of Engagement Team Members
Establishing the Terms of the Engagement
Accepting a Change in the Terms of the Engagement
Establishing an Overall Examination Strategy and Planning the Examination
Considering Materiality During Planning
Performing Risk Assessment Procedures
Assessing the Risk of Material Misstatement
Understanding the Internal Audit Function
Planning to Use the Work of Internal Auditors
Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors
Deterining the Extent to Which to Use the Work of Internal Auditors
Coordinating Procedures With the Internal Auditors
Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ Purposes
Planning to Use the Work of an Other Practitioner
Planning to Use the Work of a Practitioner’s Specialist
3 Performing the Cybersecurity Risk Management Examination
Responding to Assessed Risks and Obtaining Evidence
Considering Materiality in Responding to the Assessed Risks and Planning Procedures
Designing Overall Responses to the Risk Assessment
Considering Whether the Description is Misstated or Otherwise Misleading
Procedures to Obtain Evidence About the Description
Considering the Suitability of the Entity’s Cybersecurity Objectives
Identifying and Evaluating Deficiencies in the Suitability of Control Design
Designing and Performing Procedures to Evaluate the Operating Effectiveness of Controls
Nature of Procedures to Evaluate the Effectiveness of Controls
Evaluating the Reliability of Information Produced by the Entity
Risk Mitigation and Control Considerations Related to Third Parties
Controls Did Not Need to Operate During the Period Covered by the Practitioner’s Report
Using the Work of a Practitioner’s Specialist
Evaluating the Results of Procedures
Known or Suspected Fraud or Noncompliance With Laws or Regulations
Obtaining Written Representations From Management
Requested Written Representations Not Provided or Not Reliable
Subsequent Events and Subsequently Discovered Facts
Subsequent Events Unlikely to Have an Effect on the Practitioner’s Opinion
Management’s Responsibilities at or Near Engagement Completion
Modifying Management’s Assertion
4 Forming the Opinion and Preparing the Practitioner’s Report
Responsibilities of the Practitioner
Forming the Practitioner’s Opinion
Considering the Sufficiency and Appropriateness of Evidence
Considering Material Uncorrected Description Misstatements and Deficiencies
Expressing an Opinion on the Subject Matters in the Cybersecurity Risk Management Examination
Preparing the Practitioner’s Report
Elements of the Practitioner’s Report
Tailoring the Practitioner’s Report in a Design-Only Examination
Modifications to the Practitioner’s Opinion
Controls Did Not Operate During the Period Covered by the Report
Separate Paragraphs Because of Material Misstatements in the Description
Restricting the Use of the Practitioner’s Report
Restricting Use When Required by Professional Standards
Restricting Use in Other Situations
Reporting When Using the Work of an Other Practitioner
Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination
A Information for Entity Management
C Description Criteria for Use in the Cybersecurity Risk Management Examination
E Illustrative Management Assertion in the Cybersecurity Risk Management Examination
F-1 Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination
G Illustrative Cybersecurity Risk Management Report
I Overview of Statements on Quality Control Standards