Appendix F-1

Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination

This illustration is nonauthoritative and is included for informational purposes only.

Independent Accountant’s Report

To Management of ABC Entity:


We have examined the accompanying description of ABC Entity’s cybersecurity risk management program titled [insert title of management’s description] throughout the period [date] to [date] (description) based on the description criteria noted below. We have also examined the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria noted below.

The criteria used to prepare the description are [name of the description criteria, e.g., AICPA Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program] (description criteria); the criteria used to evaluate whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives are [name of the control criteria, e.g., the criteria for security, availability, and confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria) or other suitable criteria] (control criteria).

An entity’s cybersecurity risk management program is the set of policies, processes, and controls designed to protect ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.