Book description
Created by the AICPA, this authoritative guide provides interpretative guidance to enable accountants to examine and report on an entity's cybersecurity risk managementprogram and controls within that program. The guide delivers a framework which has been designed to provide stakeolders with useful, credible information about the effectiveness of an entity's cybersecurity efforts.
Table of contents
- Cover Page
- Title Page
- Copyright Page
- Contents
-
Chapter 1: Introduction and Background
- Introduction
- Potential Users of Cybersecurity Information and Their Interests
- Cybersecurity Risk Management Examination
- Difference Between Cybersecurity and Information Security
- Description of the Entity’s Cybersecurity Risk Management Program
- Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program
-
Overview of the Cybersecurity Risk Management Examination
- Other Information About the Cybersecurity Risk Management Examination
- Time Frame of Examination
- Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements
- Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management Program
- Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination)
- Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy
- Professional Standards
- Quality in the Cybersecurity Risk Management Examination
-
Chapter 2: Accepting and Planning a Cybersecurity Risk Management Examination
- Introduction
- Understanding Management’s Responsibilities
- Practitioner’s Responsibilities
- Accepting or Continuing an Engagement
-
Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Examination
- Determining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program
- Determining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity’s Cybersecurity Risk Management Program (Design-Only Examination)
- Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion
- Consideration of Third Parties
- Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives
- Requesting a Written Assertion and Representations From Management
- Considering Practitioner Independence
- Considering the Competence of Engagement Team Members
- Establishing the Terms of the Engagement
- Establishing an Overall Examination Strategy and Planning the Examination
- Performing Risk Assessment Procedures
- Understanding the Internal Audit Function
-
Planning to Use the Work of Internal Auditors
- Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors
- Deterining the Extent to Which to Use the Work of Internal Auditors
- Coordinating Procedures With the Internal Auditors
- Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ Purposes
- Planning to Use the Work of an Other Practitioner
- Planning to Use the Work of a Practitioner’s Specialist
-
Chapter 3: Performing the Cybersecurity Risk Management Examination
- Responding to Assessed Risks and Obtaining Evidence
-
Obtaining Evidence About Whether the Description of the Entity’s Cybersecurity Risk Management Program Is Presented in Accordance With the Description Criteria
- Materiality Considerations When Evaluating Whether the Description is Presented in Accordance With the Description Criteria
- Considering Whether the Description is Misstated or Otherwise Misleading
- Evaluating the Description When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management Program
- Procedures to Obtain Evidence About the Description
- Considering the Suitability of the Entity’s Cybersecurity Objectives
- Materiality Considerations When Evaluating the Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives
- Obtaining and Evaluating Evidence About the Suitability of the Design of Controls to Achieve the Entity’s Cybersecurity Objectives
-
Obtaining Evidence About the Operating Effectiveness of Controls to Achieve the Entity’s Cybersecurity Objectives
- Designing and Performing Procedures to Evaluate the Operating Effectiveness of Controls
- Nature of Procedures to Evaluate the Effectiveness of Controls
- Evaluating the Reliability of Information Produced by the Entity
- Timing of Procedures
- Extent of Procedures
- Selecting Items to Be Tested
- Testing Changes to Controls
- Risk Mitigation and Control Considerations Related to Third Parties
- Controls Did Not Need to Operate During the Period Covered by the Practitioner’s Report
- Revising the Risk Assessment
- Using the Work of a Practitioner’s Specialist
- Evaluating the Results of Procedures
- Responding to and Communicating Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies
- Obtaining Written Representations From Management
- Documentation
- Management’s Responsibilities at or Near Engagement Completion
-
Chapter 4: Forming the Opinion and Preparing the Practitioner’s Report
- Responsibilities of the Practitioner
- Forming the Practitioner’s Opinion
- Preparing the Practitioner’s Report
- Modifications to the Practitioner’s Opinion
- Material Misstatements
- Scope Limitation
- Restricting the Use of the Practitioner’s Report
- Distribution of the Report
- Reporting When Using the Work of an Other Practitioner
- Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination
- Report Date
- Other Information
-
Appendix
- A: Information for Entity Management
- B: Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports
- C: Description Criteria for Use in the Cybersecurity Risk Management Examination
- D: Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination
- E: Illustrative Management Assertion in the Cybersecurity Risk Management Examination
- F-1: Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination
- F-2: Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time
- G: Illustrative Cybersecurity Risk Management Report
- H: Definitions
- I: Overview of Statements on Quality Control Standards
- Index of Pronouncements and Other Technical Guidance
- Subject Index
Product information
- Title: Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls
- Author(s):
- Release date: June 2017
- Publisher(s): Wiley
- ISBN: 9781943546725
You might also like
book
Managing Risk and Information Security: Protect to Enable, Second Edition
Examine the evolving enterprise security landscape and discover how to manage and survive risk. While based …
book
Rational Cybersecurity for Business: The Security Leaders' Guide to Business Alignment
Use the guidance in this comprehensive field guide to gain the support of your top executives …
book
The Complete Guide to Cybersecurity Risks and Controls
This book presents the fundamental concepts of information and communication technology (ICT) governance and control. Readers …
book
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
This bestselling guide is the ideal companion for anyone carrying out a GDPR (General Data Protection …