Home Page Icon
Home Page
Table of Contents for
Cover Page
Close
Cover Page
by American Institute of Certified Public Accountants
Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls
Cover Page
Title Page
Copyright Page
Contents
Chapter 1: Introduction and Background
Introduction
Potential Users of Cybersecurity Information and Their Interests
Cybersecurity Risk Management Examination
Difference Between Cybersecurity and Information Security
Description of the Entity’s Cybersecurity Risk Management Program
The Entity’s Cybersecurity Objectives
Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program
Overview of the Cybersecurity Risk Management Examination
Other Information About the Cybersecurity Risk Management Examination
Time Frame of Examination
Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements
Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management Program
Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination)
Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy
SOC 2 Engagements
Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement
Engagements Under the AICPA Consulting Standards
Professional Standards
Attestation Standards
Code of Professional Conduct
Quality in the Cybersecurity Risk Management Examination
Chapter 2: Accepting and Planning a Cybersecurity Risk Management Examination
Introduction
Understanding Management’s Responsibilities
Practitioner’s Responsibilities
Accepting or Continuing an Engagement
Preconditions of a Cybersecurity Risk Management Examination
Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Examination
Determining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Progra
Determining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity’s Cybersecurity Risk Management Program (Design-On
Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion
Consideration of Third Parties
Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives
Description Criteria
Control Criteria
Assessing the Suitability of the Entity’s Cybersecurity Objectives
Requesting a Written Assertion and Representations From Management
Considering Practitioner Independence
Considering the Competence of Engagement Team Members
Establishing the Terms of the Engagement
Accepting a Change in the Terms of the Engagement
Establishing an Overall Examination Strategy and Planning the Examination
Considering Materiality During Planning
Performing Risk Assessment Procedures
Obtaining an Understanding of the Entity’s Cybersecurity Risk Management Program and Controls Within That Program
Assessing the Risk of Material Misstatement
Understanding the Internal Audit Function
Planning to Use the Work of Internal Auditors
Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors
Deterining the Extent to Which to Use the Work of Internal Auditors
Coordinating Procedures With the Internal Auditors
Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ Purposes
Planning to Use the Work of an Other Practitioner
Planning to Use the Work of a Practitioner’s Specialist
Chapter 3: Performing the Cybersecurity Risk Management Examination
Responding to Assessed Risks and Obtaining Evidence
Considering Materiality in Responding to the Assessed Risks and Planning Procedures
Designing Overall Responses to the Risk Assessment
Obtaining Evidence About Whether the Description of the Entity’s Cybersecurity Risk Management Program Is Presented in Accordance With the Description Criteria
Materiality Considerations When Evaluating Whether the Description is Presented in Accordance With the Description Criteria
Considering Whether the Description is Misstated or Otherwise Misleading
Evaluating the Description When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program
Procedures to Obtain Evidence About the Description
Considering the Suitability of the Entity’s Cybersecurity Objectives
Materiality Considerations When Evaluating the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives
Obtaining and Evaluating Evidence About the Suitability of the Design of Controls to Achieve the Entity’s Cybersecurity Objectives
Identifying and Evaluating Deficiencies in the Suitability of Control Design
Obtaining Evidence About the Operating Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives
Designing and Performing Procedures to Evaluate the Operating Effectiveness of Controls
Nature of Procedures to Evaluate the Effectiveness of Controls
Evaluating the Reliability of Information Produced by the Entity
Timing of Procedures
Extent of Procedures
Selecting Items to Be Tested
Testing Changes to Controls
Risk Mitigation and Control Considerations Related to Third Parties
Controls Did Not Need to Operate During the Period Covered by the Practitioner’s Report
Revising the Risk Assessment
Using the Work of a Practitioner’s Specialist
Evaluating the Results of Procedures
Responding to and Communicating Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies
Known or Suspected Fraud or Noncompliance With Laws or Regulations
Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies
Obtaining Written Representations From Management
Requested Written Representations Not Provided or Not Reliable
Subsequent Events and Subsequently Discovered Facts
Subsequent Events Unlikely to Have an Effect on the Practitioner’s Opinion
Documentation
Management’s Responsibilities at or Near Engagement Completion
Modifying Management’s Assertion
Chapter 4: Forming the Opinion and Preparing the Practitioner’s Report
Responsibilities of the Practitioner
Forming the Practitioner’s Opinion
Considering the Sufficiency and Appropriateness of Evidence
Considering Material Uncorrected Description Misstatements and Deficiencies
Expressing an Opinion on the Subject Matters in the Cybersecurity Risk Management Examination
Preparing the Practitioner’s Report
Elements of the Practitioner’s Report
Tailoring the Practitioner’s Report in a Design-Only Examination
Modifications to the Practitioner’s Opinion
Emphasis of Certain Matters
Controls Did Not Operate During the Period Covered by the Report
Material Misstatements
Qualified Opinion
Adverse Opinion
Separate Paragraphs Because of Material Misstatements in the Description
Separate Paragraphs Because of Material Deficiencies in the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives
Scope Limitation
Qualified Opinion
Disclaimer of Opinion
Restricting the Use of the Practitioner’s Report
Restricting Use When Required by Professional Standards
Restricting Use in Other Situations
Distribution of the Report
Reporting When Using the Work of an Other Practitioner
Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination
Report Date
Other Information
Appendix
A: Information for Entity Management
B: Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports
C: Description Criteria for Use in the Cybersecurity Risk Management Examination
D: Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination
E: Illustrative Management Assertion in the Cybersecurity Risk Management Examination
F-1: Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination
F-2: Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Ma
G: Illustrative Cybersecurity Risk Management Report
H: Definitions
I: Overview of Statements on Quality Control Standards
Index of Pronouncements and Other Technical Guidance
Subject Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Title Page
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset