Appendix G

Illustrative Cybersecurity Risk Management Report

This appendix is nonauthoritative and is included for informational purposes only.

Note:

Although the AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls describes the components of a cybersecurity risk management report and the information to be included therein, it does not mandate specific formats for most of the information to be presented. Entity management and the practitioner may organize and present the required information in a variety of formats.

The format of the illustrative cybersecurity risk management report presented in this nonauthoritative appendix is included for illustrative purposes only. The illustrative cybersecurity risk management report contains all the required components of such a report, including (a) management’s assertion, (b) the accountant’s report, and (c) the description of the entity’s cybersecurity risk management program.

Report on XYZ Manufacturing’s Description of its Cybersecurity Risk Management Program and the Effectiveness of Controls Within the Program Throughout the Period January 1, 20X1, to December 31, 20X1

CONTENTS

Section 1—Assertion of the Management of XYZ Manufacturing

Section 2—Independent Accountant’s Report

Section 3—XYZ Manufacturing’s Description of Its Cybersecurity Risk Management Program

Section 1—Assertion of the Management of XYZ Manufacturing

Introduction

We have prepared the attached XYZ Manufacturing’s Description ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial