Chapter 2
Accepting and Planning a Cybersecurity Risk Management Examination
Introduction
2.01 Prior to accepting a cybersecurity risk management examination, AT-C section 105, Concepts Common to All Attestation Engagements (AICPA, Professional Standards), requires the practitioner to determine that certain preconditions are met. Among other things, those preconditions require the practitioner to determine whether the engagement team meets the ethical and competency requirements set forth in the professional standards and whether the engagement meets the relevant requirements of the attestation standards. Prior to engagement acceptance, a practitioner is also required to establish an understanding with management about its responsibilities and those of the practitioner in the cybersecurity risk management examination.
2.02 Once an engagement has been accepted, AT-C section 205, Examination Engagements (AICPA, Professional Standards), sets forth the requirements for developing an overall strategy and planning the engagement. This chapter discusses considerations for accepting and planning the cybersecurity risk management examination.
Understanding Management’s Responsibilities
2.03 As previously stated, the practitioner is required to establish, prior to acceptance of the cybersecurity risk management examination, an understanding with management about management’s responsibilities and those of the practitioner. This section provides an overview of management’s responsibilities.
2.04 Management is responsible for the entity’s cybersecurity risk management program, which generally involves the following:
• Identifying the types of information created, used, and stored by the entity and the systems used that are subject to cybersecurity risks
• Identifying the entity’s cybersecurity objectives
• Identifying and analyzing the risks that could prevent the entity from achieving its cybersecurity objectives based on the entity’s business objectives, including the cyber risks arising from interactions with third parties with access to one or more of the entity’s information systems
• Designing, implementing, operating, monitoring, and documenting controls that are effective to achieve the entity’s cybersecurity objectives
2.05 Additionally, the practitioner may choose to include in the understanding with management its responsibilities for the following:
• Defining the scope of the engagement, including whether the examination will cover the entity’s cybersecurity risk management program or only a portion of that program,1 and the time frame of the examination2
• Selecting the description criteria against which the presentation of the description will be evaluated and the control criteria against which the effectiveness of controls3 within the cybersecurity risk management program will be evaluated and stating both in management’s assertion
• Preparing the description of the entity’s cybersecurity risk management program in accordance with the description criteria
• Preparing a written assertion, to accompany the description, about whether
— the description is presented in accordance with the description criteria and
— the controls were effective to achieve the entity’s cybersecurity control objectives based on the control criteria
• Having a reasonable basis4 for its assertion
• Agreeing to provide the practitioner with the following:
— Access to all information of which management is aware, such as records and documentation, including service-level agreements, that is relevant to the description of the entity’s cybersecurity risk management program and the assertion
— Access to additional information that the practitioner may request from management for the purpose of the cybersecurity risk management examination
— Unrestricted access to persons within the entity from whom the practitioner determines it is necessary to obtain evidence relevant to the cybersecurity risk management examination
— Written acknowledgment that internal auditors providing direct assistance will be allowed to follow the practitioner’s instructions without management intervention, if the practitioner intends to use internal auditors to provide direct assistance
— Written representations at the conclusion of the engagement, which will include the following:
• All known matters that might contradict the presentation of the description in accordance with the description criteria or the effectiveness of controls to achieve the cybersecurity objectives
• Any communication from regulatory agencies or others related to the presentation of the description or effectiveness of controls relevant to the cybersecurity risk management program
• All deficiencies in internal control relevant to the engagement, of which management is aware
• Any known actual, suspected, or alleged fraud5 or noncompliance with laws or regulations affecting the description or the effectiveness of controls
• Any known events subsequent to the period covered by the engagement up to the date of the practitioner’s report that would have a material effect on the description or the effectiveness of controls
• Other matters the practitioner deems appropriate (for example, discussion of matters considered material)
2.06 Management acknowledges these responsibilities in an engagement letter or other suitable form of written communication.
2.07 Appendix A, “Information for Entity Management,” provides further information about management’s responsibilities in the cybersecurity risk management examination.
Practitioner’s Responsibilities
2.08 During engagement acceptance and planning, the practitioner is responsible for the following:
• Determining whether to accept or continue a cybersecurity risk management examination for a particular client. In making this determination, the practitioner needs to consider whether the preconditions for accepting an examination engagement as discussed in paragraph 2.10 have been met.
• Establishing an understanding with management regarding the engagement, including the responsibilities of management and the responsibilities of the practitioner. (See paragraph 2.74)
• Reaching an understanding with management regarding their willingness and ability to provide a written assertion at the conclusion of the engagement. (See paragraph 2.65)
• Establishing an overall strategy for the cybersecurity risk management examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement. (See paragraph 2.86)
• To support the practitioner’s risk assessment procedures, obtaining an understanding of the entity’s cybersecurity objectives and how the cybersecurity risk management program is designed, implemented, and operated to achieve those objectives. (See paragraph 2.100)
Accepting or Continuing an Engagement
2.09 In determining whether to accept or continue the engagement, the practitioner should apply the policies and procedures the firm has developed in response to the requirement in paragraph .27 of QC section 10, A Firm’s System of Quality Control (AICPA, Professional Standards). Such policies often include consideration of the integrity and reputation of entity management and significant shareholders or principal owners to determine whether the firm’s reputation is likely to suffer by association. Generally, the practitioner will accept or continue a client relationship only after he or she has considered the integrity of entity management, significant shareholders, or principal owners and has no information that would lead the practitioner to believe that the client lacks integrity. Absent such information, a practitioner generally would conclude that it is unlikely that association with the client would expose the practitioner to undue risk of damage to his or her professional reputation or financial loss.
Preconditions of a Cybersecurity Risk Management Examination
2.10 Paragraphs .24–.25 of AT-C section 105 set forth a number of preconditions that should be met before accepting or continuing an attest engagement. In the cybersecurity risk management examination, the practitioner should accept or continue the engagement only if each of the following conditions is met:
The practitioner is independent in accordance with the AICPA Code of Professional Conduct. (See paragraph 2.66)
Management accepts responsibility for the
preparation of the description of the entity’s cybersecurity risk management program in accordance with the description criteria and
effectiveness of the controls within that program in achieving the entity’s cybersecurity objectives.
The subject matters of the cybersecurity risk management examination are appropriate.
The criteria used to prepare and evaluate the subject matters are both suitable and available to users of the report. (See paragraph 2.42)
The practitioner expects to be able to obtain the evidence needed to arrive at his or her opinion on the description and on the effectiveness of controls and will have
access to all information relevant to the measurement, evaluation, or disclosure of the subject matter;
access to additional information that he or she may request; and
unrestricted access to entity personnel.
2.11 If one or more of the preconditions in paragraph 2.10 of this guide are not present, the practitioner should discuss the matter with management and attempt to resolve the issue before accepting or continuing the engagement. Paragraph .28 of AT-C section 105 provides guidance to a practitioner who discovers, after the engagement is accepted, that one or more of the preconditions are not present.
2.12 In addition to the preconditions discussed in paragraph 2.10 of this guide, the practitioner should accept or continue a cybersecurity risk management examination only when the practitioner has
no reason to believe that relevant ethical requirements (including independence) in the AICPA Code of Professional Conduct will not be satisfied. (See paragraph 2.66)
determined that the individuals performing the engagement have the appropriate competence and capabilities to perform it. (See paragraph 2.70)
reached an understanding with the engaging party about the terms of the engagement. (See paragraph 2.74)
plans to include a written opinion expressed in the practitioner’s report included in the cybersecurity risk management examination report. (Chapter 4, “Forming the Opinion and Preparing the Practitioner’s Report,” of this guide discusses reporting in a cybersecurity risk management examination.)
2.13 Because of the immaturity of many entities’ cybersecurity risk management programs, management may not have realistic expectations about the performance of the engagement and the conclusions the practitioner will express at the end of the engagement. This is particularly true when there is a likelihood that the practitioner’s opinion (on the description, the effectiveness of controls, or both) may require qualification or other modification because of the lack of appropriate controls or sufficient appropriate evidence. During engagement acceptance, the practitioner may wish to discuss these factors with management in order to assist management in forming its expectations.
2.14 The practitioner may also wish to consider whether management is experiencing excessive pressure that may affect its actions during the course of the engagement. For example, such pressure may arise from a transaction that is contingent upon the receipt of an unmodified practitioner’s opinion by a certain date. In such a situation, management may be under pressure to not fully disclose all relevant information to the practitioner. In response, the practitioner may decline to accept the engagement or may conclude that the increase in attestation risk resulting from such pressures warrants modification of the nature, timing, and extend of the practitioner’s procedures to address the risks.
Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Examination
2.15 Determining whether the subject matter is appropriate in the specific cybersecurity risk management examination involves consideration of the following:
• When management has requested that the subject matter of the engagement be less than the entity-wide program, whether information about only a portion of the entity’s cybersecurity risk management program is likely to meet the needs of report users
• When management has requested that, in addition to the description, the subject matter of the engagement only be the suitability of the design of controls implemented by the entity, whether information about only the suitability of design of controls within the entity’s cybersecurity risk management program is likely to meet the needs of report users
• Whether management is likely to have a reasonable basis for its assertion
2.16 As previously stated, there are two distinct but complementary subject matters in the cybersecurity risk management examination: (1) the description of the entity’s cybersecurity risk management program and (2) the effectiveness of the controls within that program in achieving the entity’s cybersecurity objectives. When determining whether the subject matters of the engagement are appropriate in the particular circumstances, the practitioner may consider factors such as whether
• users of the cybersecurity risk management examination report are likely to understand other factors related to the engagement, such as the nature of the engagement.
• the description criteria used to evaluate the presentation of the description can be understood by the users.
• the effect of third parties (customers, vendors, business partners, and others) with access to the entity’s systems on the entity’s cybersecurity risks is addressed by the cybersecurity risk management program and can be understood by the users.
• the control criteria used to evaluate the effectiveness of controls can be understood by the users.
• the period of time over which the engagement is to be performed will meet the information needs of the users.
If report users are unlikely to understand these factors or the period covered will not meet their needs, a greater potential exists for them to misunderstand the report. Consequently, the practitioner may decide not to accept the engagement or to restrict the use of the report.
Determining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program
2.17 Management is responsible for determining whether the cybersecurity risk management examination will be performed on the entity-wide cybersecurity risk management program or on only a portion of that program. When making this determination, management needs to obtain an understanding of the needs of intended users of the cybersecurity risk management examination report to determine whether the subject matters of the engagement are likely to meet their needs.
2.18 As discussed in chapter 1, “Introduction and Background,” although the cybersecurity risk management examination discussed in this guide usually addresses an entity-wide cybersecurity risk management program, there may be circumstances in which management may engage the practitioner to examine and report on only a portion of that program. The cybersecurity risk management examination may be limited to any of the following:
• One or more specific business units, segments, or functions of an entity
— when those units, segments, or functions operate under an entity-wide cybersecurity risk management program; or
— when those units, segments, or functions operate under an independent cybersecurity risk management program
• One or more specific types of information used by the entity
2.19 For example, an entity plans to sell a particular division of its business that operates under a separate, independent cybersecurity risk management program, and potential buyers have expressed concerns about the cybersecurity risks they may be taking on through the purchase. In response to those concerns, management might engage a practitioner to examine and report on the cybersecurity risk management program of that division only.
2.20 Paragraph .25 of AT-C section 105 indicates that one of the preconditions for accepting an attestation engagement is that the subject matter is appropriate for the engagement. Paragraph .A41 of AT-C section 205 provides guidance useful to a practitioner if management engages the practitioner to examine a portion of the entity’s cybersecurity risk management program, as described in paragraph 2.17. If the practitioner has concerns about whether a report addressing only a portion of the entity’s cybersecurity risk management program is likely to meet the information needs of the intended users, the practitioner may decide not to accept the engagement. If the practitioner decides to accept the engagement, he or she may consider whether there is a risk that the report may be misunderstood by all but a limited number of report users. In that case, the practitioner may decide to restrict the use of the report to those limited users.
2.21 In the example described in paragraph 2.19, it would be reasonable for a practitioner to conclude that a cybersecurity risk management examination report addressing only the cybersecurity risk management program of the division to be sold is an appropriate subject matter for the engagement because such a report is likely to meet the informational needs of the potential buyers of the division. But the practitioner would likely conclude that the use of the report should be restricted to such buyers.
2.22 In making a determination about whether the subject matter is appropriate, the practitioner may become aware of information that causes him or her to believe management has limited the scope of the examination because of its belief that an examination of the entity-wide cybersecurity risk management program would result in a qualified or adverse opinion (on the description, the effectiveness of controls, or both). If the practitioner believes that users of the report are likely to misunderstand the limitation on the scope of the engagement and, as a result, the cybersecurity risk management examination report because of the omission of relevant factors regarding the entity’s overall cybersecurity risk management program, the practitioner may determine not to accept the engagement.
2.23 When the cybersecurity risk management examination will address only a portion of the entity’s cybersecurity risk management program, the language used in management’s assertion and in the practitioner’s report should be tailored to reduce the risk of misunderstanding by report users by clearly identifying the portion of the entity’s cybersecurity risk management program addressed in the examination.
Determining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity’s Cybersecurity Risk Management Program (Design-Only Examination)
2.24 As discussed in chapter 1, there may be circumstances in which management may not be prepared to make an assertion about whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives. In such circumstances, rather than making an assertion about whether controls were effective to achieve the entity’s cybersecurity objectives, management may make an assertion about the suitability of the design of controls within the program.
2.25 Such an examination, referred to in this guide as a design-only cybersecurity risk management examination (design-only examination), would include the following two subject matters: (1) the description of the entity’s cybersecurity risk management program and (2) the suitably of design of the controls implemented within that program to achieve the entity’s cybersecurity objectives. Accordingly, a design-only examination would not provide report users with sufficient information to assess the effectiveness of controls within that program. However, the resulting report (design-only report) may be useful to report users who want to obtain an understanding of the entity’s cybersecurity risk management program and an overview of the security policies and processes implemented within that program.
2.26 The following are circumstances in which a design-only report might be useful:
• The entity’s cybersecurity risk management program has not been in operation for a sufficient length of time to enable the practitioner to gather sufficient appropriate evidence about the effectiveness of controls to achieve the entity’s cybersecurity risk management program.
• The entity has recently made significant changes to its cybersecurity risk management program and the controls within that program and does not have a sufficient history with a stable program to enable an opinion on the effectiveness of controls to achieve the entity’s cybersecurity risk management program.
2.27 Before accepting such an engagement, the practitioner should consider the informational needs of report users and whether such users may potentially misunderstand the practitioner’s opinion on the description and design only. The practitioner may consider restricting the use of a design-only report to board members, management, others within the organization, and specific third parties (specified parties) who are likely to understand it.
Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion
2.28 Paragraph 2.10 indicates that, as one of the preconditions of the cybersecurity risk management examination, the practitioner should determine whether the subject matters are appropriate for the engagement. According to paragraph .A36 of AT-C section 105, one element of the appropriateness of the subject matters is the existence of a reasonable basis for measuring or evaluating the subject matters.
2.29 Management is responsible for having a reasonable basis for its assertion about the description and the effectiveness of controls within that program. Furthermore, because management’s assertion generally addresses the effectiveness of controls over a period of time, management’s basis for its assertion covers the same time frame.
2.30 The attestation standards do not require the practitioner to perform specific procedures to determine whether management has a reasonable basis for its assertion. However, because of the relationship between the monitoring and assessment of controls and their effectiveness in achieving the entity’s cybersecurity objectives, the practitioner ordinarily discusses with management the basis for its assertion prior to engagement acceptance. This will assist the practitioner in determining whether the basis appears reasonable for the size and complexity of the entity’s cybersecurity risk management program and whether the practitioner expects to be able to obtain sufficient appropriate evidence to arrive at his or her opinion (on the description, the effectiveness of controls, or both), which is also a precondition of the examination.
2.31 In the cybersecurity risk management examination, the practitioner’s consideration of whether management has a reasonable basis for its assertion is likely to be more challenging than in other types of examination engagements. That is because of
• the evolving nature of most entities’ cybersecurity risk management programs;
• the nature and complexity of risks those programs are designed to address and the evolving nature of those risks; and
• the breadth and complexity of the subject matter.
The remainder of this section discusses additional considerations when evaluating whether management has a reasonable basis for its assertion in a cybersecurity risk management examination.
2.32 The implementation of an effective cybersecurity risk management program is a significant endeavor for most entities, requiring the design and operation of technology solutions and complex processes and procedures, including those governing interactions with third parties (customers, vendors, business partners, and others) and their information systems. Because of these complexities, controls within the entity’s cybersecurity risk management program are unlikely to be effective without regular monitoring and assessment of controls. Therefore, monitoring and assessment of controls is ordinarily a key component of management’s basis for its assertion.
2.33 For those reasons, management generally will need to perform a formal assessment of the effectiveness of its controls to make its assertion. In most cases, during the assessment process, management will do the following:
Evaluate the effectiveness of the entity’s procedures for identifying
cybersecurity objectives based on the entity’s business objectives (for instance, delivery of services, production of goods, or protection of assets);
information and other assets of the entity at risk, based on the scope of the engagement and defined cybersecurity objectives; and
the threats to the information and other assets based on internal and external threat intelligence data, inherent vulnerabilities of information assets and other assets, and the linkages between such vulnerabilities and identified threats.
Evaluate the effectiveness of the processes it uses to design and implement controls to mitigate risks. Evaluating the effectiveness of such processes may involve comparing the results of monitoring activities and reviewing the results of independent assessments and other activities designed to continuously improve controls based on lessons learned from security events.
Assess the effectiveness of controls, particularly controls that monitor the effectiveness of other controls, to provide reasonable assurance of achieving the entity’s cybersecurity objectives. (This is particularly important when aspects of the entity’s cybersecurity risk management program controls have been outsourced to service providers. Paragraph 2.37 further discusses third-party considerations.)
2.34 In addition to the factors discussed in paragraph 2.31, the effectiveness of the entity’s cybersecurity controls is highly dependent on the existence of an accurate and complete inventory of the entity’s information assets6 and standard acquisition processes and configuration settings. If these do not exist, it may be difficult, or even impossible, for management to have a reasonable basis for its assertion.
2.35 Management’s basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of an entity’s cybersecurity risk management program and include activities such as the regular review by management of key system reports and participation in incident management processes. In addition, monitoring activities may include the periodic evaluations of controls through (a) assessments performed by the internal audit function or by knowledgeable personnel who are independent of the function being evaluated, (b) performance of penetration testing, and (c) review of reports of independent certifications made against established specifications (for example, International Standardization Organization and International Electrotechnical Commission [ISO/IEC] Standard 27001 and HITRUST CSF). When such monitoring activities do not exist or they appear to be inadequate, it may be difficult for management to have a reasonable basis for its assertion.
2.36 Management generally documents the assessment in a variety of ways, such as through the use of policy manuals, narratives, flowcharts, decision tables, procedural write-ups, or questionnaires. The nature and extent of documentation usually varies, depending on the size and complexity of the entity and its monitoring activities.
Consideration of Third Parties
2.37 Monitoring activities are of increased importance if the entity has identified cybersecurity threats and vulnerabilities arising from interactions with third parties. As used in this guide, third parties include customers, vendors, business partners, and others who have access to one or more of the entity’s information systems, store confidential entity information on their systems, or otherwise transmit information back and forth between, or on behalf of, the entity.
2.38 Therefore, it is important for management to assess the cybersecurity risks arising from interactions with third parties, particularly when third parties operate controls necessary to achieve the entity’s cybersecurity objectives.
2.39 If management determines the risks associated with third parties are likely to be material to the achievement of the entity’s cybersecurity objectives (for example, due to the nature of access the third party has to the entity’s systems and information assets, or because of the controls the third party operates on behalf of the entity), monitoring controls at the entity are needed to allow management to determine whether the processes and controls performed by the third parties effectively address the identified risks. Such monitoring controls may include, but are not limited to, a combination of the following:
• Conducting assessments of whether third-party contractual agreements are in accordance with the entity’s policies
• Conducting periodic discussions with third parties and their employees
• Inspecting completed third-party security questionnaires and submitted documents to support their responses
• Conducting regular site visits to the third parties’ locations to observe the execution of controls
• Inspecting results of internal audit tests over the third parties’ controls
• Inspecting type 2 SOC 2 reports on aspects of the third parties’ operations that relate to their security, availability, and confidentiality controls pursuant to AT-C section 205
2.40 Management is responsible for the effectiveness of all of the processes and controls related to the entity’s cybersecurity risk management program, regardless of who performs the specific processes and controls. Therefore, unless management has processes and controls that monitor the effectiveness of the processes and controls performed by third parties, it may be difficult for management to have a reasonable basis for its assertion. For that reason, the practitioner ordinarily would discuss with management the use of third parties, including the nature and extent of the entity’s monitoring controls, to determine whether such controls are likely to be sufficient in the circumstances. If adequate monitoring controls do not exist, or if the practitioner believes that such controls are unlikely to be effective, it is unlikely that management would have a reasonable basis for making its assertion.
2.41 If the practitioner believes that management does not have reasonable basis for its assertion, or that sufficient appropriate evidence to support the basis is unlikely to be available, the practitioner should not accept or continue the engagement.
Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives
2.42 As discussed in chapter 1, two distinct sets of criteria are used in the cybersecurity risk management examination: description criteria and control criteria. As stated in paragraph 2.05, management is responsible for selecting the criteria to be used in the cybersecurity risk management examination. Management may select any description and control criteria that are suitable and available to intended users.
2.43 According to paragraph .A42 of AT-C section 105, criteria are suitable when they exhibit all of the following characteristics:
• Relevance. Criteria are relevant to the subject matter.
• Objectivity. Criteria are free from bias.
• Measurability. Criteria permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
• Completeness. Criteria are complete when subject matters prepared in accordance with them do not omit relevant factors that could reasonably be expected to affect decisions of the report users made on the basis of that subject matter.
The relative importance of each characteristic to a particular engagement is a matter of professional judgment.
2.44 Criteria also need to be available to report users to allow them to understand how the entity has prepared its description and evaluated the effectiveness of controls in achieving the entity’s cybersecurity objectives. Criteria that are available publicly, included in the description, or included in the practitioner’s report are all considered available to report users. Sometimes, criteria are available only to certain report users; in this case, the practitioner’s report should include an alert restricting the use of the report to those parties, as required by AT-C section 205.
Description Criteria
2.45 Appendix C, “Description Criteria for Use in the Cybersecurity Risk Management Examination” of this guide presents description criteria that may be used by management when preparing and evaluating the description of the entity’s cybersecurity risk management program and by the practitioner when evaluating that description. Applying the description criteria in actual situations requires judgment. Therefore, in addition to the description criteria, appendix C presents implementation guidance for each criterion. The implementation guidance presents factors to consider when making judgments about the nature and extent of disclosures called for by each criterion. The implementation guidance does not address all possible situations; therefore, users should carefully consider the facts and circumstances of the entity and its environment in actual situations when applying the description criteria.
2.46 The description criteria in appendix C were promulgated by the Assurance Services Executive Committee (ASEC), which is designated by the Council of the AICPA under the AICPA Code of Professional Conduct to issue measurement criteria. Therefore, such criteria are considered suitable for use in the cybersecurity risk management examination. Because the description criteria are published by the AICPA and made available to the general public, they are considered available to report users. Therefore, the description criteria are both suitable and available criteria for the cybersecurity risk management examination.
2.47 The performance and reporting guidance in this guide assumes the use of the criteria presented in appendix C as the description criteria. However, as cybersecurity services continue to evolve, other description criteria may be developed. If management believes that other description criteria are suitable (that is, that other criteria exhibit the characteristics of suitable criteria in paragraph 2.43), management could select and use such criteria when developing and assessing the presentation of the description in the cybersecurity risk management examination. However, prior to accepting a cybersecurity risk management examination in which other criteria will be used, the practitioner is responsible for determining whether or not he or she agrees with manage-ment’s assessment about the suitability of the other criteria. In making his or her determination about the relevance, objectivity, measurability, and completeness of management’s selected description criteria, the practitioner may find it useful to compare the other description criteria identified by management to the description criteria in appendix C.
Control Criteria
2.48 When selecting the control criteria to be used in the evaluation of the effectiveness of controls within the entity’s cybersecurity risk management program, management may select any suitable control criteria. Management may select the criteria for security, availability, and confidentiality categories in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria), as the control criteria. The trust services criteria for security, availability and confidentiality are presented in appendix D, “Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination” of this guide.
2.49 Applying the trust services criteria in actual situations requires judgment. Therefore, in addition to the trust services criteria, appendix D also presents points of focus for each criterion. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in their 2013 Internal Control—Integrated Framework (COSO framework), states that points of focus represent important characteristics of the criteria. Consistent with the COSO framework, the points of focus in appendix D may assist management when designing, implementing, and operating controls over security, availability, and confidentiality. In addition, the points of focus may assist both management and the practitioner when evaluating whether the controls were suitably designed and operated to meet the entity’s cybersecurity risk management objectives based on the trust services criteria.
2.50 The trust services criteria for security, availability, and confidentiality in appendix D were promulgated by the ASEC. The ASEC has determined that the trust services criteria for security, availability, and confidentiality are suitable for use in the cybersecurity risk management examination. Because they are also made available to general users, the control criteria are both suitable and available criteria for the cybersecurity risk management examination.
2.51 The performance and reporting guidance in this guide assumes the trust services criteria presented in appendix D are used as the control criteria, and all references hereafter to control criteria refer to the trust services criteria for security, availability, and confidentiality. Thus, examples and illustrations throughout the guide are based on these criteria. A practitioner engaged to perform a cybersecurity risk management examination in which other description or control criteria will be used should adapt this guidance as appropriate.
2.52 If management selects different criteria as the control criteria, the practitioner is responsible for determining whether he or she agrees with management’s assessment about the suitability and availability of the other control criteria. When making that determination, the practitioner should consider whether the other control criteria selected by management are relevant to the subject matter, objective, consistently measureable, and complete, as discussed in paragraph 2.43.
2.53 When considering whether the other control criteria are suitable for the engagement, the practitioner may find it helpful to compare the control criteria selected by management to the trust services criteria to determine whether the control criteria selected by management address substantially the same aspects of the entity’s cybersecurity risk management program as the trust services criteria for security, availability, and confidentiality.
2.54 If the practitioner determines that the selected criteria are not suitable, the practitioner typically works with management of the entity to identify suitable criteria. If management refuses to select suitable and available criteria for the engagement, the practitioner should not accept or continue the engagement.
Assessing the Suitability of the Entity’s Cybersecurity Objectives
2.55 As discussed in chapter 1, the achievement of the entity’s overall business objectives depends upon the identification, assessment, and management of the risks that threaten their achievement. One type of risk is the entity’s cybersecurity risks. Consequently, entities often establish sub-objectives, known as cybersecurity objectives, that address their specific cybersecurity risks. Similar to the entity’s overall business objectives, the cybersecurity objectives established by management need to be suitable to enable both management and the practitioner to evaluate whether controls within the entity’s cybersecurity risk management program are effective to achieve those objectives.
2.56 Management is responsible for establishing, and including in the description, suitable cybersecurity objectives to enable report users to understand the context in which the entity’s cybersecurity risk management program operates. Because control activities are designed and operated to address the risks that would prevent an entity’s cybersecurity objectives from being achieved, the practitioner is responsible for evaluating whether the cybersecurity objectives established by management are suitable to permit the practitioner to form a conclusion on the effectiveness of controls based on the control criteria. In making that evaluation, the practitioner should consider the attributes of suitable objectives described in the COSO framework. According to the COSO framework, suitable objectives are
• specific. The objectives provide a clear understanding of the cybersecurity risks that need to be mitigated.
• measurable or observable. The objectives permit an objective determination about whether each cybersecurity objective has been met.
• attainable. The objectives permit the implementation of controls that, if suitably designed and operated effectively, provide reasonable assurance of achieving each objective.
• relevant. The achievement of each cybersecurity objective supports the entity’s efforts to achieve its overall objectives.
• time-bound. The objectives reflect the desired operation of cybersecurity controls over time.
2.57 As discussed earlier, cybersecurity objectives are established to address the cybersecurity risks that could otherwise threaten the achievement of the entity’s overall objectives. Consequently, in establishing the entity’s cybersecurity objectives, management also considers whether the cybersecurity objectives completely address those risks. Because the achievement of the entity’s overall objectives depends on the achievement of the cybersecurity objectives, the cybersecurity objectives also need to meet one additional attribute: completeness. To be complete, the set of cybersecurity objectives established by management needs to address the significant cybersecurity risks that threaten the achievement of the entity’s overall business objectives.
2.58 Management is likely to establish cybersecurity objectives that address several basic matters, regardless of the nature of the business and the industry in which the entity operates. Basic matters that management may consider when establishing the entity’s cybersecurity objectives include the following:
• Commitments made to third parties (customers, vendors, business partners, and others) related to the security and availability of information and systems, including commitments related to critical infrastructure and extended supply chains
• Laws and regulations to which the entity is subject as a result of the types of information it possesses or uses (for instance, protected health information and personally identifiable information)
• Commitments made as part of a certification and authorization process for government agencies and other parties
• Industry standards to which the entity is subject as a result of the types of information it uses (for instance, Payment Card Industry Data Security Standards for entities that accept or process credit card transactions)
• Other business initiatives
2.59 To assist management with the development and disclosure of the entity’s cybersecurity objectives, description criterion 3 (The entity’s principal cybersecurity risk management program objectives [cybersecurity objectives] related to availability, confidentiality, integrity of data, and integrity of processing), presented in appendix C, includes as implementation guidance the following example of cybersecurity objectives an entity might establish:
Availability
Enabling timely, reliable, and continuous access to and use of information and systems to do the following:
• Comply with applicable laws and regulations
• Meet contractual obligations and other commitments
• Provide goods and services to customers without disruption
• Safeguard entity assets and assets held in custody for others
• Facilitate decision making in a timely manner
Confidentiality
Protecting information from unauthorized access and disclosure, including means for protecting proprietary information and personal information subject to privacy requirements, to do the following:
• Comply with applicable laws and regulations
• Meet contractual obligations and other commitments
• Safeguard the informational assets of an entity
Integrity of Data
Guarding against improper information modification or destruction of information to support the following:
• The preparation of reliable financial information for external reporting purposes
• The preparation of reliable information for internal use
• Information nonrepudiation and authenticity
• The completeness, accuracy, and timeliness of processing
• Management holding employees and users accountable for their actions
• The operation of processes addressing the privacy of personal information
Integrity of Processing
Guarding against improper use, modification, or destruction of systems to support the following:
• The accuracy, completeness, and reliability of information, goods, and services produced
• The safeguarding of entity assets
• The safeguarding of life and health
2.60 In the cybersecurity risk management examination, management would tailor those cybersecurity objectives to reflect the entity’s business objectives based on the nature of the business and the industry in which it operates, the entity’s mission and vision, and the entity’s cybersecurity risk appetite.
2.61 Because of the close relationship among the entity’s cybersecurity objectives, the practitioner’s opinion on the effectiveness of controls, and report users’ understanding of the practitioner’s opinion, the practitioner should consider whether the cybersecurity objectives are suitable and complete. If the practitioner believes that the cybersecurity objectives established by management are not suitable and complete, the practitioner should discuss the matter with management. If management is unwilling to revise the cybersecurity objectives to address the practitioner’s concerns, the practitioner may decide (a) to refuse to accept the engagement or (b) to restrict the use of the report to those users who are able to understand the risks not addressed by the entity’s cybersecurity objectives. Chapter 3, “Performing the Cybersecurity Risk Management Examination,” discusses the situation when, after accepting the engagement, the practitioner obtains evidence that causes him or her to believe that the entity’s cybersecurity objectives are not suitable for the engagement.
Requesting a Written Assertion and Representations From Management
2.62 Paragraph .10 of AT-C section 205 requires the practitioner to request a written assertion from the responsible party that addresses both subject matters in the cybersecurity risk management examination. Specifically, the assertion addresses whether (1) the description is presented in accordance with the description criteria and (2) the controls within the program were effective to achieve the entity’s cybersecurity objectives.
2.63 Management’s assertion is included in the cybersecurity risk management examination report along with management’s description and the practitioner’s report. Because of the important role that the assertion plays in the engagement, it may be useful for the practitioner to provide management with an example of a written assertion prior to engagement acceptance. Such an example can be found in appendix E, “Illustrative Management Assertion in the Cybersecurity Risk Management Examination.”
2.64 If management refuses to provide a written assertion, paragraph .82 of AT-C section 205 requires the practitioner to withdraw from the engagement when withdrawal is possible under applicable laws and regulations.7 Consequently, it is important to obtain management’s agreement to provide the written assertion prior to engagement acceptance. If law or regulation does not allow the practitioner to withdraw, the practitioner should disclaim an opinion on the description and the effectiveness of controls.
2.65 Management is also required to provide the practitioner with written representations at the conclusion of the engagement. It may be useful for the practitioner to provide management with an example of the expected representations prior to engagement acceptance.
Considering Practitioner Independence
2.66 Paragraph .24 of AT-C section 105 and paragraph .06 of AT-C section 205 state that a practitioner must be independent when performing an attestation engagement such as the cybersecurity risk management examination. The only exception to this requirement is when the practitioner is required by law or regulation to accept the engagement and report on the subject matter. In that case, practitioner is required to disclaim an opinion on the description and the effectiveness of controls and to specifically state in the report that the practitioner is not independent.
2.67 The “Independence Rule” (ET sec. 1.200.001)8,9 of the AICPA Code of Professional Conduct establishes independence requirements for attestation engagements. The “Independence Standards for Engagements Performed in Accordance with Statements on Standards for Attestation Engagements” subtopic (ET sec. 1.297) of the “Independence Rule” establishes special independence requirements for a practitioner who provides services under the attestation standards. In addition, the “Conceptual Framework Approach” subtopic (ET sec. 1.210) of the “Independence Rule” discusses threats to independence not specifically detailed elsewhere. The code specifies that, in some circumstances, no safeguards can reduce an independence threat to an acceptable level. For example, the code specifies that a covered member may not own even an immaterial direct financial interest in an attest client because there is no safeguard to reduce the self-interest threat to an acceptable level. A member may not use the conceptual framework to overcome this prohibition or any other prohibition or requirement in an independence interpretation.
2.68 When assessing independence in a cybersecurity risk management examination, the practitioner might consider matters including, but not limited to, (a) advisory work performed for the client that may directly or indirectly affect the entity’s cybersecurity risk management program, (b) fee arrangements for all services provided to the client, (c) firm and individual financial relationships, (d) firm business relationships, and (e) alumni and familial relationships with the client and client personnel. Because of the breadth of a cybersecurity risk management program and its relationship to all aspects of information technology, the practitioner needs to be particularly attentive to other services provided to the entity that may impair independence.
2.69 It is anticipated that, in most cybersecurity risk management examinations, management will be both the engaging party (client) and the responsible party; thus, management will accept responsibility for the description of the entity’s cybersecurity risk management program and its assertion about the effectiveness of the controls within that program. In some engagements, however, the engaging party may be someone other than management. For example, in a proposed acquisition, the engaging party might be the party interested in acquiring the entity. As part of its due diligence on the target company, the engaging party might want information about the entity’s cybersecurity risk management program to evaluate the additional risks the engaging party might be taking on in the event of a security breach at the entity. In such a situation, the practitioner is not required to be independent of the engaging party; however, the Code of Professional Conduct requires the practitioner to consider the applicable interpretation regarding conflicts of interest prior to accepting the engagement.
Considering the Competence of Engagement Team Members
2.70 Chapter 1 of this guide discusses quality in the cybersecurity risk management examination. Maintaining appropriate quality in the engagement involves having the work performed by engagement team members with the appropriate competence and capabilities. For that reason, as discussed in paragraph 2.12, the practitioner should not accept the cybersecurity risk management examination unless he or she has determined that the individuals performing the particular engagement have the appropriate competence and capabilities to perform it.
2.71 When considering the competence and capabilities of engagement team members, the engagement partner should consider whether the team assigned to the engagement collectively has, or can acquire, the following:
• An understanding, or the ability to obtain an understanding, of information security or cybersecurity risk management examinations gained through experience with engagements of a similar nature and complexity or through appropriate training and participation
• Knowledge of the entity’s industry and business, including whether the industry in which the entity operates is subject to specific types of or unusual cybersecurity risks
• Knowledge of relevant IT systems and technology, such as but not limited to mainframes, networking, firewalls or firewall techniques, security protocols, and operating systems
• Knowledge of any uncommon technologies or industry-specific technology used by the entity
• An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management
• Experience with evaluating the effectiveness of controls an entity has designed and implemented
• An understanding of professional standards and the ability to apply professional skepticism and judgment in the cybersecurity risk management examination
• An understanding of legal and regulatory requirements that are relevant to the cybersecurity risk management examination
2.72 In addition, the engagement partner should make sure that team members are informed of their responsibilities, including the objectives of the procedures that they are to perform and matters that may affect the nature, timing, and extent of such procedures. The engagement partner should also be satisfied that engagement team members have been directed to bring to his or her attention any significant questions raised during the engagement.
2.73 The engagement partner may decide to supplement the knowledge and skills of the engagement team with the use of specialists. Planning to use the work of a practitioner’s specialist is discussed in paragraph 2.139.
Establishing the Terms of the Engagement
2.74 Paragraph .07 of AT-C section 205 requires the practitioner to agree on, and document in a written communication, the terms of the engagement with the engaging party. Such a written communication reduces the risk that either the practitioner or management (who generally is the engaging party in the cybersecurity risk management examination) may misinterpret the needs or expectations of the other party. For example, it reduces the risk that management may intend to rely on the practitioner work to protect the entity against certain risks or to perform certain management functions. In addition, the practitioner’s preliminary understanding of the terms of the cybersecurity risk management examination enables the practitioner to identify whether there are any indications that either the scope of the engagement or the criteria to be used in the examination are unlikely to meet the information needs of report users.
2.75 According to paragraph .08 of AT-C section 205, the agreed-upon terms of the engagement should include, at a minimum, the following:
The objective and scope of the engagement
The responsibilities of the practitioner
A statement that the engagement will be conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants
The responsibilities of management and the responsibilities of the engaging party, if different
A statement about the inherent limitations of the cybersecurity risk management examination
Identification of the description criteria against which manage-ment’s description will be evaluated and the control criteria against which the effectiveness of the controls within the cybersecurity risk management program will be evaluated
An acknowledgment that management (and the engaging party, if other than management) agrees to provide the practitioner with a representation letter at the conclusion of the engagement
2.76 In addition to these matters, the practitioner may decide to include other matters in the understanding, such as the identification of the entity’s cybersecurity objectives. Additional matters that may affect the practitioner’s understanding of the terms of the engagement and how the terms should be documented in a recurring engagement are discussed in paragraph .09 of AT-C section 205.
2.77 Paragraph .07 of AT-C section 205 states that the understanding with management should be documented in sufficient detail in an engagement letter or other appropriate form of written communication.
2.78 In certain circumstances, a practitioner is required by paragraph .64 of AT-C section 205 to include in his or her report an alert that restricts the use of the report to specified parties. In other circumstances, the practitioner may elect to restrict the use of the report, even though standards do not require it. An alert is designed to avoid misunderstandings related to the use of the report, particularly if the report is taken out of the context in which the report is intended to be used. If an alert is expected to be included in the cybersecurity risk management examination report, the practitioner may decide to inform management (and the engaging party, if different) and specified parties (and document in the engagement letter) that the report is not intended for distribution to parties other than those specified in the report. Nevertheless, a practitioner is not responsible for controlling, and cannot control, the distribution of his or her report after its release.
2.79 If the practitioner plans to use internal auditors to provide direct assistance, paragraph .41 of AT-C section 205 states that, prior to doing so, the practitioner should obtain written acknowledgment from management that internal auditors providing direct assistance to the practitioner will be allowed to follow the practitioner’s instructions and that management will not interfere in the performance of the internal auditors’ work. The practitioner may decide to document that acknowledgment in the engagement letter.
2.80 If management is the engaging party and refuses to sign the engagement letter, the practitioner should decline to accept or perform the cybersecurity risk management examination, unless withdrawal is not allowed by applicable law or regulation.
Accepting a Change in the Terms of the Engagement
2.81 After the engagement agreement is executed but prior to the completion of the engagement, management may communicate a desire to change the scope of the engagement. When management requests a change in the scope of the engagement, paragraph .29 of AT-C section 105 states that the practitioner should not agree to the change in the terms of the engagement unless there is reasonable justification for the change. Reasonable justification may exist for changes to the terms of the engagement requested as a result of the following:
• Misunderstanding concerning the nature of the engagement originally requested
• Change in the needs of users of the cybersecurity risk management examination report
• Change in the intended users of the report
2.82 As an example, there may be reasonable justification for manage-ment’s request to change the scope of an engagement, which was originally the entity-wide cybersecurity risk management program, by excluding from that scope the controls designed and operated at a division of the entity in the process of being sold, when the report is intended only for the use of board members.
2.83 Other changes to the scope of the engagement, however, may not be considered reasonable if they relate to information that is incorrect, incomplete, or otherwise unsatisfactory. An example of such a situation is a request to change the scope of the cybersecurity risk management examination from the entity-wide cybersecurity risk management program to only a portion of the entity-wide program to avoid a modified opinion on the effectiveness of controls, in a situation in which the practitioner has obtained evidence that controls were not effective to achieve the entity’s cybersecurity objectives based on one or more of the control criteria.
2.84 If, after using professional judgment, the practitioner believes there is reasonable justification to change the terms of the engagement from those originally contemplated, the practitioner would issue an appropriate report on the portion of the entity’s cybersecurity risk management program included within the scope of the engagement. The attestation standards do not require the practitioner’s report to include a reference to (a) the original engagement, (b) any procedures that may have been performed, or (c) scope limitations that resulted in the changed engagement. The practitioner may also decide to document the change in the engagement in an addendum to the engagement agreement to evidence agreement to the change among the parties.
2.85 However, if the practitioner and the engaging party are unable to agree to a change of the terms of the cybersecurity risk management examination, the practitioner and management may agree to continue the engagement in accordance with the original terms or mutually agree to terminate the engagement. If management does not accept either of these alternatives, the practitioner should take appropriate action, which could include disclaiming an opinion on both the description and the effectiveness of controls or withdrawing from the engagement.
Establishing an Overall Examination Strategy and Planning the Examination
2.86 When planning the cybersecurity risk management examination, the engagement partner and other key members of the engagement team develop an overall strategy for the scope, timing, and conduct of the engagement and an engagement plan, consisting of a detailed approach for the nature, timing, and extent of procedures to be performed. Adequate planning helps the practitioner devote appropriate attention to important areas of the engagement, identify potential problems on a timely basis, and properly organize and manage the engagement to make sure it is performed in an effective and efficient manner. Adequate planning also assists the practitioner in properly assigning work to engagement team members and facilitates the direction, supervision, and review of their work. Furthermore, if the work of internal auditors, other practitioners, or specialists is used in the engagement, proper planning helps the practitioner coordinate their work.
2.87 Paragraph .11 of AT-C section 205 requires a practitioner to establish an overall engagement strategy that sets the scope, timing, and direction of the engagement and guides in the development of the engagement plan. In establishing the overall engagement strategy, the practitioner does the following:
Obtains an understanding of the entity’s business, cybersecurity objectives, and cybersecurity risk management program that define the engagement
Ascertains the expected timing and nature of required communications
Should consider the factors that, in the practitioner’s professional judgment, are significant in directing the engagement team’s efforts
Should consider the results of preliminary engagement activities, such as client acceptance, and, when applicable, whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant
Plans the engagement process, including possible sources of evidence and choices among alternative measurement or evaluation methods
Obtains an understanding of the influences and pressures on management and other appropriate party(ies) within the entity
Should consider intended users of the cybersecurity risk management examination report and their information needs
Should consider the risk of fraud relevant to the engagement
Ascertains the nature, timing, and extent of resources necessary to perform the engagement
Assesses the effect on the engagement of using the work of an internal audit function or obtaining direct assistance from internal audit function personnel
2.88 The nature and extent of planning activities will vary depending on the practitioner’s previous experience with the entity and on whether security events were identified in prior periods. Planning activities also will vary based on the entity’s organizational characteristics, including the following:
• The complexity of the entity’s cybersecurity risk management program based on factors such as its size and structure (for instance, centralized versus decentralized, insourced versus outsourced)
• The industry in which the entity operates
• The entity’s network topology
• Uncommon, unusual, or outdated technologies used by the entity
• Significant changes to IT architecture, applications, or IT and security staffing during the past 12 months
• Acquisitions or divestitures during the most recent period, the integration or segmentation strategy used for the IT systems, and the current state of those activities
• Countries in which the entity does business or has a significant data presence, including those countries deemed high risk by management
• Business units or divisions with IT systems administered under a separate management structure (for instance, outside of a centralized IT function)
• Third parties (customers, vendors, business partners, and others) with access to the entity’s information and systems who could represent a material risk to the achievement of the entity’s cybersecurity objectives
2.89 The nature and extent of planning activities also will vary with the engagement circumstances. Based on paragraph .A9 of AT-C section 205, other matters the practitioner may consider when planning the cybersecurity risk management examination include the following:
• The characteristics of the specific cybersecurity risk management examination, including factors such as
— whether the engagement will be performed on the entity-wide cybersecurity risk management program or on only a portion of that program;
— whether management is the engaging party; and
— the time frame for the engagement
• The expected timing and the nature of any required communications
• The results of preliminary engagement activities, such as client acceptance, and whether knowledge gained on other engagements for the entity is relevant to the cybersecurity risk management examination, including possible sources of evidence about
— the presentation of the description;
— the design, implementation, and operation of controls; and
— management’s selection of description criteria and control criteria against which the description and effectiveness of controls will be evaluated
• The practitioner’s understanding of the entity and its environment, including the risk that
— the description of the entity’s cybersecurity risk management program may not be presented in accordance with the description criteria and
— controls may not be effective to achieve the entity’s cybersecurity objectives
• Identification of intended users of the cybersecurity risk management examination report and their information needs, consideration of materiality, and the components of attestation risk
• The risk of fraud relevant to the engagement
• Use of the internal audit function, other practitioners, or specialists in the cybersecurity risk management examination
2.90 Paragraph .13 of AT-C section 205 includes more detailed requirements and additional explanatory guidance that the practitioner should consider when developing the engagement plan.
2.91 When establishing the overall engagement strategy and engagement plan, it is important to remember that the cybersecurity risk management examination is ordinarily performed using a top-down approach, similar to the approach used by management during its assessment. As in other internal control engagements, the top-down approach in a cybersecurity risk management examination ordinarily involves consideration of the matters discussed in the preceding paragraphs of this section, followed by consideration of entity-level processes and controls as well as management’s assessment and monitoring activities.
2.92 In a cybersecurity risk management examination, entity-level controls usually refer to the trust services criteria for
control environment (CC1.1–1.5),10
communication and information (CC2.1–2.3),
risk assessment (CC3.1–3.4), and
monitoring (CC4.1–4.2).
2.93 Planning is a cumulative and iterative process that occurs throughout the engagement. Accordingly, the practitioner may need to revise the overall strategy and engagement plan based on unexpected events, changes in conditions, or evidence obtained that contradicts information considered during planning.
Considering Materiality During Planning
2.94 When establishing the overall engagement strategy, paragraph .16 of AT-C section 205 also requires the practitioner to consider both qualitative and quantitative materiality factors. Due to the vast number of information and other assets and the number of related processes and controls within even a small entity, or a business unit or segment of a larger entity, practitioners need to consider materiality to determine the nature, timing, and extent of procedures and to perform the cybersecurity risk management examination. Adoption of an appropriate materiality allows the practitioner to prioritize testing efforts and supports an effective and efficient engagement.
2.95 In the cybersecurity risk management examination, materiality relates to the likelihood and magnitude of the risks that threaten the achievement of the entity’s cybersecurity objectives and whether the processes and controls the entity has designed, implemented, and operated were effective in mitigating those risks to an acceptable level.
2.96 Accordingly, the practitioner should consider the nature of threats and the likelihood and magnitude of the risks arising from those threats to specific information and other assets. In addition, the practitioner should consider the technical environment and whether the realization of threats or exploitation of vulnerabilities related to specific information assets, which appear inconsequential, could expose (either directly or indirectly) information assets and thereby result in failure to achieve the entity’s cybersecurity objectives. For example, if access to the information assets of a financially immaterial business unit could provide access to the entity’s strategic business systems, and the practitioner determines there is a high likelihood that such a vulnerability might be exploited, the practitioner is likely to consider access to the information assets of the financially immaterial business unit material in the cybersecurity risk management examination.
2.97 The practitioner’s consideration of materiality is a matter of professional judgment and is affected by the practitioner’s perception of the common information needs of report users as a group. In this context, it is reasonable for the practitioner to assume that report users
have a reasonable knowledge of cybersecurity, including the nature of cybersecurity risks and vulnerabilities and the processes and controls typically used to manage such risks, and are willing to study the topic with reasonable diligence.
understand that the description of an entity’s cybersecurity risk management program and the controls within that program are measured or evaluated and examined to appropriate levels of materiality and understand any materiality concepts included in the description and control criteria.
understand any inherent uncertainties involved in describing a cybersecurity risk management program and inherent limitations in the design and operation of controls. (To make sure that report users understand such uncertainties, both management’s assertion and the practitioner’s report disclose inherent limitations of a cybersecurity risk management engagement.)
make reasonable decisions on the basis of the description and the effectiveness of controls, taken as a whole.
2.98 Unless the engagement has been designed to meet the particular information needs of specific users of the cybersecurity risk management examination report (and the report is restricted to those specific users), the possible effect of misstatements regarding the description of the entity’s cybersecurity risk management program or the effectiveness of controls on specific users, whose information needs may vary widely, is not ordinarily considered.
2.99 If the practitioner becomes aware, during the conduct of the engagement, of information that would have caused him or her to have initially determined a different materiality, paragraph .17 of AT-C section 205 requires the practitioner to reconsider materiality. Chapter 3 of this guide discusses materiality considerations during the performance of the cybersecurity risk management examination in further detail.
Performing Risk Assessment Procedures
Obtaining an Understanding of the Entity’s Cybersecurity Risk Management Program and Controls Within That Program
2.100 Paragraph .14 of AT-C section 205 requires the practitioner to obtain a sufficient understanding of the subject matter of the engagement. As previously discussed, there are two subject matters in the cybersecurity risk management examination:
A description of the entity’s cybersecurity risk management program in accordance with the description criteria
The effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria
2.101 The practitioner’s risk assessment procedures to obtain the understanding may include the following, usually in some combination:
• Inquiring of management, those charged with governance, and others within the entity who, in the practitioner’s judgment, may have relevant information
• Observing operations and inspecting documents, reports, and printed and electronic records of transaction processing
• Inspecting a selection of agreements between the entity and its customers and vendors and business partners (VBPs)
• Reperforming the application of a control
2.102 One or more of the procedures discussed in the preceding paragraph may be accomplished through the performance of a walkthrough. In addition, the practitioner may perform such procedures concurrently with procedures to obtain evidence about whether the description is presented in accordance with the description criteria and whether the controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria.
2.103 When obtaining the understanding of the entity’s program and controls, the practitioner needs to understand certain controls at a detailed level to enable him or her to perform procedures designed to obtain evidence about whether such controls were effective in achieving the entity’s cybersecurity objectives. Chapter 3 discusses the practitioner’s procedures in a cybersecurity risk management examination in more detail.
Assessing the Risk of Material Misstatement
2.104 In the cybersecurity risk management examination, the practitioner’s understanding of the entity’s cybersecurity risk management program and controls within that program should be sufficient to enable the practitioner to do the following:
• Identify and assess the risks that
— the description of the entity’s cybersecurity risk management program is not presented in accordance with the description criteria and
— controls were not effective in achieving the entity’s cybersecurity objectives based on the control criteria, because of deficiencies in the design or operations of controls
• Provide a basis for designing and performing further procedures that are responsive to the assessed risks and for obtaining reasonable assurance to support the practitioner’s opinion on the description and the effectiveness of controls
2.105 When assessing the risks of material misstatement, paragraph .15 of AT-C section 205 states that the practitioner should obtain an understanding of internal control, which, in the case of a cybersecurity risk management examination, focuses on evaluating the design of controls over the preparation of the description and determining whether they have been implemented by making inquiries of the personnel responsible for the description and by performing other procedures. In addition, the practitioner should consider controls, including monitoring activities, that the entity has designed and implemented to provide reasonable assurance that the entity’s cybersecurity objectives are achieved.
2.106 The practitioner should consider whether any risk assessment procedures and other procedures performed to obtain the understanding indicate a risk of material misstatement due to fraud or noncompliance with laws or regulations. For example, fraud risks might include the risk of management override of entity controls, misappropriation of information and other assets, and the creation, by entity personnel, of false or misleading documents or records. Chapter 3 discusses the practitioner’s responsibilities for responding to known or suspected fraud or noncompliance in further detail.
2.107 As previously discussed, the risk of material misstatement relates to the likelihood and magnitude of the risks that threaten the achievement of the entity’s cybersecurity objectives and whether the processes and controls the entity has designed, implemented, and operated were effective in mitigating those risks. In the cybersecurity risk management examination, risk assessment often begins with identifying and assessing the types, likelihood, and impact of risks that affect the preparation of the description and the effectiveness of controls within the entity’s cybersecurity risk management program. Risks to the entity’s information assets, including manufacturing and industrial control systems, may arise from any of the following:
• Intentional (for example, fraud) and unintentional internal and external acts
• Identified threats, vulnerabilities, and deficiencies
• The use of external parties that store, process, or transmit sensitive information on the entity’s behalf (for example, suppliers, customers, vendors, business partners, “fourth parties”)
• The type of employee personnel (finance, administrative, operations, IT, sales and marketing, and so on) and others (contractors, vendor employees, business partners, and so on) with access to information and systems
2.108 Accordingly, when understanding the inherent risks that may affect the entity’s ability to achieve its cybersecurity objectives, the practitioner should consider whether the entity
• maintains information in the IT environment that is critical to operating its business or maximizing its advantage in the marketplace.
• is dependent on internet connectivity to support its business operations.
• is a high-profile entity within the sector in which it operates.
• relies extensively on complex industrial controls systems.
• has an extensive number of third-party vendors or service providers with connections into its systems.
• operates within a regulated sector.
• operates in a sector that has a history of being a target of cyber-attacks.
• operates in a sector that has been the target of attacks resulting in breaches that have had a material effect on the related entity.
• has a history of being subject to cyberattacks.
Some practitioners find it useful to use terms such as high, medium, or low to describe an entity’s overall inherent risk assessment. However, use of such terminology is not required.
2.109 Once the practitioner has identified and assessed the risks, the practitioner should consider the processes and controls the entity has designed, implemented, and operated to mitigate those risks. As required by paragraph .18 of AT-C section 205, the practitioner should consider the assessed risk of material misstatement as the basis for designing and performing further procedures whose nature, timing, and extent (a) are responsive to assessed risks of material misstatement and (b) allow the practitioner to obtain reasonable assurance about whether the description is presented in accordance with the description criteria and whether the controls were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
2.110 Most of the practitioner’s procedures in forming an opinion on the description and on the effectiveness of controls consist of obtaining and evaluating evidence. Procedures to obtain evidence include inspection, observation, reperformance, and analytical procedures, often in some combination, in addition to inquiry. Chapter 3 provides additional guidance on performing examination procedures in the cybersecurity risk management examination.
Understanding the Internal Audit Function
2.111 If the entity has an internal audit function, then as part of understanding the entity’s cybersecurity risk management program, the practitioner also obtains an understanding of
the nature of the internal audit function’s responsibilities and how the internal audit function fits into the entity’s organizational structure and
the activities performed or to be performed by the internal audit function as it relates to the cybersecurity risk management program.
2.112 If the internal audit function does not perform activities related to the cybersecurity risk management program, or if the entity does not have a function that performs similar activities, the practitioner should consider the effect on his or her conclusions regarding the effectiveness of monitoring of controls.
2.113 An entity’s internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted by functions with other titles within an entity. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. For example, an entity may engage a service provider to perform (a) penetration testing; (b) responsibilities of the internal audit function that the function itself does not have the competency or qualifications to perform (for example, performing the IT internal audit function); or (c) a one-time special assessment at the request of the board of directors. Neither the title of the function nor whether it is performed by the entity or a third-party service provider are sole determinants of whether the practitioner can use the work of internal auditors. Rather, it is the nature of the activities, the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors, the competence of internal auditors, and the systematic and disciplined approach of the function that are relevant. References in this guide to the work of the internal audit function include relevant activities of other functions or third-party providers that have these characteristics.
2.114 Activities of the internal audit function that may be relevant to the cybersecurity risk management examination include those that provide information or evidence about whether the description is presented in accordance with the description criteria or whether controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives.
2.115 When obtaining an understanding of the internal audit function’s responsibilities and activities, the practitioner makes inquiries of internal audit personnel and reads information about the internal audit function included in the description of the entity’s cybersecurity risk management program. Ordinarily, the practitioner also requests and reads any relevant internal audit reports related to the period covered by the engagement. For example, reading the internal audit plan and reports issued by the internal audit function enables the practitioner to understand the nature of the internal audit function’s responsibilities and how the internal audit function fits into the entity’s organizational structure. Additionally, any findings in internal audit reports that relate to the presentation of the description of the entity’s cybersecurity risk management program or the effectiveness of controls within that program should be taken into consideration as part of the risk assessment and in determining the nature, timing, and extent of the practitioner’s planned procedures.
Planning to Use the Work of Internal Auditors
2.116 If, after obtaining an understanding of the internal audit function, the practitioner concludes that (a) the activities of the internal audit function are not relevant to the cybersecurity risk management examination or (b) it may not be efficient to consider the work of the internal audit function, the practitioner does not need to give further consideration to the work of the internal audit function.
2.117 The practitioner may determine, however, that the engagement can be performed more effectively or efficiently by using the work of the internal audit function or obtaining direct assistance from internal audit function personnel. The phrase “using the work of the internal audit function” usually refers to using work designed and performed by the internal audit function, in accordance with an internal audit plan, to obtain evidence to support the various entity objectives. This differs from work the internal audit function performs to provide direct assistance to the practitioner, including assistance in performing tests of controls that are designed by the practitioner and performed by members of the internal audit function under the practitioner’s direction, supervision, and review. When members of the internal audit function provide direct assistance, the procedures they perform are similar to work performed by the engagement team.11
Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors
2.118 If the practitioner determines that the work of the internal audit function is relevant to the cybersecurity risk management examination, and the practitioner intends to use the work of the internal audit function in obtaining evidence, or plans to use internal auditors to provide direct assistance during the examination, the practitioner should determine whether the work can be used for purposes of the examination by evaluating several factors. The factors the practitioner should evaluate include
the level of competence of the internal audit function or the individual internal auditors providing direct assistance;
the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors and the related safeguards applied to reduce or eliminate those threats; and
the application by the internal audit function of a systematic and disciplined approach, including quality control.
2.119 When evaluating competence, the practitioner should consider the attainment and maintenance of knowledge and skills of the internal audit function at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality, particularly as it relates to the work of the internal audit function that is to be used or, when using individuals for direct assistance, the individual. Consideration of factors such as the following may assist the practitioner with that evaluation: (a) hiring policies; (b) the adequacy of resources relative to the size of the entity; (c) technical training and proficiency of individuals; (d) knowledge of the areas being examined, including industry-specific or technical knowledge required to perform the work; and (e) whether internal auditors are members of relevant professional bodies or have certifications that oblige them to comply with the relevant professional standards, including continuing professional education requirements.
2.120 When evaluating objectivity, the practitioner should consider whether the internal audit function as a whole or, when using individuals for direct assistance, the individual performs tasks without allowing bias, conflict of interest, or undue influence of others to override professional judgments. Factors that may impact objectivity include whether there are (a) any conflicts of interest or undue influence of others to override professional judgments, (b) conflicting responsibilities, and (c) constraints or restrictions on the internal audit function (or, when using direct assistance, the individual).
2.121 When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the practitioner may consider the function’s approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting; or (b) whether the internal audit function has appropriate quality control policies and procedures.
2.122 The objectivity and competence of internal auditors are important considerations when determining whether to use their work and, if so, the nature and extent to which their work should be used. However, as noted in paragraph .A46 of AT-C section 205, a high degree of objectivity cannot compensate for a low degree of competence, nor can a high degree of competence compensate for a low degree of objectivity. Additionally, when the practitioner is considering whether to use the work of the internal audit function, neither a high level of competence nor strong support for the objectivity of the internal auditors compensates for the lack of a systematic and disciplined approach by the internal audit function.
2.123 Based on an evaluation of the preceding factors, it is up to the practitioner to determine whether the risks to the quality of the work of the internal audit function or the individual, when using direct assistance, are too significant and whether it is appropriate to use any of the work of the function or individual as examination evidence.
Deterining the Extent to Which to Use the Work of Internal Auditors
2.124 The extent to which the practitioner plans to use the work of the internal audit function is a matter of professional judgment. Because the practitioner has sole responsibility for expressing an opinion on the description and on the effectiveness of controls, the practitioner makes all significant judgments in the examination, including when to use the work of the internal audit function in obtaining evidence.
2.125 To prevent undue use of the internal audit function in obtaining evidence, the practitioner should use less of the work of the internal audit function and perform more of the work directly in situations when
• more judgment is involved to plan and perform the procedures or to evaluate the evidence obtained.
• the assessed risk of material misstatement is high.
• the internal audit function’s organizational status and relevant policies and procedures raise concerns about the objectivity of the internal auditors.
• the level of competence of the internal audit function is low.
Coordinating Procedures With the Internal Auditors
2.126 When the practitioner plans to use the work of the internal audit function, the practitioner may find it helpful to review the internal audit function’s audit plan and discuss with management the planned use of the work of the internal audit function as a basis for coordinating the work of internal auditors with the practitioner’s procedures. The audit plan provides information about the nature, timing, extent, and scope of the work performed by the internal audit function, as well as the work that is planned to be performed.
2.127 As a basis for coordinating the respective activities between the practitioner and the internal auditors, it may be useful to address the following when planning to use the work of the internal audit function:
• The nature of the work performed
• The timing of such work
• The extent of coverage
• Proposed methods of item selection and sample sizes
• Documentation of the work performed
• Review and reporting procedures
2.128 Coordination between the practitioner and the internal audit function is effective when discussions take place at appropriate intervals throughout the period to which management’s assertion pertains. It is important that the practitioner informs the internal audit function of significant matters as they arise during the engagement. Equally important is that the practitioner has access to relevant reports of the internal audit function and is advised of any significant matters that come to the attention of the internal auditors, when such matters may affect the scope of the examination and the potential nature, timing, or extent of the examination procedures. Communication throughout the engagement provides opportunities for internal auditors to bring up matters that may affect the practitioner’s work. The practitioner is then able to take such information into account (for example, when assessing the risks that the description is not presented in accordance with the description criteria or that controls were not effective in achieving the entity’s cybersecurity objectives based on the control criteria).
2.129 Although the practitioner is not precluded from using work that the internal audit function has already performed, coordination of activities between the practitioner and the internal audit function is likely to be most effective when appropriate interaction occurs before the internal audit function performs the work.
2.130 When planning to use internal auditors to provide direct assistance, paragraph .41 of AT-C section 205 requires the practitioner to obtain written acknowledgment from management that internal auditors providing direct assistance will be allowed to follow the practitioner’s instructions without management’s interference.
Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ Purposes
2.131 When using the work of the internal audit function, the practitioner should perform sufficient procedures, including reperformance, on the body of work of the internal audit function that the practitioner plans to use to evaluate whether such work is adequate for the practitioner’s purposes. Chapter 3 provides guidance on the practitioner’s considerations when performing procedures on that work.
Planning to Use the Work of an Other Practitioner
2.132 In certain situations, the practitioner might plan to use the work of an other practitioner. For example, if the entity operates divisions or business units in other geographic locations, the practitioner might plan to use the work of a practitioner located in the same geographic region as the entity to obtain sufficient appropriate evidence to enable the practitioner to express an opinion on the description and on the effectiveness of controls in the cybersecurity risk management engagement.
2.133 For those reasons, the practitioner who decides to use the work of an other practitioner is required by paragraph .31 of AT-C section 105 to
obtain an understanding of whether the other practitioner understands, and will comply with, the ethical requirements that are relevant to the engagement and, in particular, is independent. (The discussion beginning in paragraph 2.66 of this guide also applies to the other practitioner.)
obtain an understanding of the other practitioner’s professional competence. (See paragraph 2.135)
communicate clearly with the other practitioner about the scope and timing of the other practitioner’s work and findings. (See paragraph 2.136)
be involved in the work of the other practitioner, if assuming responsibility for the work of the other practitioner.
evaluate whether the other practitioner’s work is adequate for the practitioner’s purposes. (See paragraph 2.137)
determine whether to make reference to the other practitioner in the practitioner’s report. (See paragraph 2.138)
2.134 When using the work of an other practitioner, paragraph .A57 of ATC section 205 clarifies that the practitioner is responsible for directing, supervising, and performing the engagement in compliance with professional standards, applicable regulatory and legal requirements, and the firm’s policies and procedures. The practitioner is also responsible for determining whether the report issued is appropriate in the circumstances.
2.135 When evaluating the professional competence of the other practitioner, the practitioner may make inquiries of the professional reputation of the other practitioner, consider whether the other practitioner is subject to regulatory oversight, and read any publicly available regulatory reports.
2.136 Once the practitioner has decided to use the work of an other practitioner, he or she should communicate with the other practitioner about the scope and timing of the other practitioner’s work. Through this communication, the practitioner can better plan the nature, timing, and extent of any procedures that relate to the work of the other practitioner, including the practitioner’s involvement in directing, supervising, and reviewing the work of the other practitioner. Due to complexities involved in planning a cybersecurity risk management engagement, using the work of other practitioners is most likely to be successful when these matters are addressed early in engagement planning.
2.137 When using the work of an other practitioner, the practitioner is also required to evaluate whether the other practitioner’s work is adequate for the purposes of the engagement. The nature, timing, and extent of this involvement are affected by the practitioner’s understanding of the other practitioner, such as previous experience with, or knowledge of, the other practitioner and the degree to which the engagement team and the other practitioner are subject to common quality control policies and procedures.
2.138 The practitioner also determines whether to take responsibility for the work of the other practitioner or to make reference to the other practitioner in the practitioner’s report. Chapter 4 provides a more detailed discussion about reporting when the work of an other practitioner is used.
Planning to Use the Work of a Practitioner’s Specialist
2.139 When planning a cybersecurity risk management examination, a practitioner may decide that engaging or assigning a specialist with specific skills and knowledge is necessary to execute the planned examination. If a practitioner’s specialist will be used in the cybersecurity risk management examination, paragraph .36 of AT-C section 205 requires the practitioner to
evaluate the specialist’s competence, capabilities, and objectivity;
obtain an understanding of the specialist’s field of expertise to enable the practitioner to determine the nature, scope, and objectives of the specialist’s work and to evaluate the adequacy of that work; and
agree with the specialist regarding the
nature, scope, and objectives of the specialist’s work;
the respective roles and responsibilities of the practitioner and the specialist;
the nature, timing, and extent of communication between the practitioner and the specialist, including the form of any report or documentation to be provided by the specialist; and
the need for the practitioner’s specialist to observe confidentiality requirements.
2.140 By communicating with the practitioner’s specialist about these matters early in the engagement, the practitioner will be in a better position to plan the scope and timing of the specialist’s work on the engagement. In addition, he or she will be better able to plan the nature, timing, and extent of any procedures that relate to the work of the specialist, including the direction, supervision, and review of the specialist’s work, particularly if that work will be used during initial engagement planning and risk assessment. Though not required, the practitioner should consider documenting, in an engagement letter or other appropriate form of written communication, the understanding reached with the practitioner’s specialist about the matters discussed. When evaluating the practitioner specialist’s competence and capabilities, the practitioner may obtain information from a variety of sources, including discussions with the specialist, personal experience with the specialist’s work, discussions with others who are familiar with the specialist’s work, or published papers or books written by the specialist, among other things. In addition, the practitioner needs to determine that the practitioner’s specialist has a sufficient understanding of the attestation standards relevant to the cybersecurity risk management examination and this guide to enable the practitioner’s specialist to understand how his or her work will help achieve the objectives of the engagement.
2.141 When evaluating the objectivity of the practitioner’s external specialist, the practitioner may inquire of management (or the engaging party, if different) about any known interests or relationships (such as financial interests, business and personal relationships, and provision of other services by the practitioner’s external specialist) that management has with the specialist that may affect the objectivity of the practitioner’s external specialist. In certain cases, the practitioner may decide to request written representations from the practitioner’s external specialist about any interests or relationships with management (or the engaging party, if different) of which the specialist is aware.
2.142 The practitioner may also discuss with the practitioner’s specialist any safeguards applicable to the specialist and evaluate whether the safeguards are adequate to reduce known threats to independence to an acceptable level. There may be some circumstances in which safeguards cannot reduce such threats to an acceptable level. For example, if the practitioner’s specialist has played a significant role in implementing or operating significant aspects of the entity’s cybersecurity risk management program, he or she is likely not objective (independent) when measuring or evaluating the effectiveness of controls within that program.
2.143 When considering the relevance of the practitioner’s specialist’s field of expertise to the engagement, the practitioner should consider (a) whether that specialist’s field includes areas of specialty relevant to the engagement; (b) whether professional or other standards and regulatory or legal requirements apply; (c) assumptions and methods used by the specialist and whether they are generally accepted within the specialist’s field and appropriate in the engagement circumstances; and (d) the nature of internal and external data or information used by the practitioner’s specialist.
2.144 The nature, timing, and extent of the practitioner’s procedures to evaluate the matters discussed in this section vary depending on the particular circumstances of the engagement. When determining the nature, timing, and extent of those procedures, paragraph .38 of AT-C section 205 states that the practitioner should consider the following:
The significance of that practitioner’s specialist’s work in the context of the engagement
The nature of the matter to which the practitioner’s specialist’s work relates
The risks of material misstatement in the matter to which the practitioner’s specialist’s work relates
The practitioner’s knowledge of and experience with previous work performed by the practitioner’s specialist
Whether the practitioner’s specialist is subject to the practitioner’s firm’s quality control policies and procedures, such as involvement in the firm’s recruitment and training programs
2.145 In addition to the matters discussed in this section, paragraph .36 of AT-C section 205 also requires the practitioner to evaluate the adequacy of the work of the practitioners’ specialist for the practitioner’s purposes. That evaluation is discussed further beginning in paragraph 3.115 of this guide.
