book

Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls

Name: Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls
Author: American Institute of Certified Public Accountants
ISBN: 9781943546725

by American Institute of Certified Public Accountants

June 2017

Intermediate to advanced

288 pages

9h 21m

English

Wiley

Read now

Unlock full access

Cover Page
Title Page
Copyright Page
Contents
Chapter 1: Introduction and Background
IntroductionPotential Users of Cybersecurity Information and Their InterestsCybersecurity Risk Management ExaminationDifference Between Cybersecurity and Information SecurityDescription of the Entity’s Cybersecurity Risk Management ProgramThe Entity’s Cybersecurity ObjectivesEffectiveness of Controls Within the Entity’s Cybersecurity Risk Management ProgramOverview of the Cybersecurity Risk Management ExaminationOther Information About the Cybersecurity Risk Management ExaminationTime Frame of ExaminationComparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial StatementsCybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management ProgramCybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination)Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or PrivacySOC 2 EngagementsComparison of a Cybersecurity Risk Management Examination and a SOC 2 EngagementEngagements Under the AICPA Consulting StandardsProfessional StandardsAttestation StandardsCode of Professional ConductQuality in the Cybersecurity Risk Management Examination
Chapter 2: Accepting and Planning a Cybersecurity Risk Management Examination
IntroductionUnderstanding Management’s ResponsibilitiesPractitioner’s ResponsibilitiesAccepting or Continuing an EngagementPreconditions of a Cybersecurity Risk Management ExaminationDetermining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management ExaminationDetermining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management ProgramDetermining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity’s Cybersecurity Risk Management Program (Design-Only Examination)Determining Whether Management is Likely to Have a Reasonable Basis for the AssertionConsideration of Third PartiesAssessing the Suitability and Availability of Criteria and the Related Cybersecurity ObjectivesDescription CriteriaControl CriteriaAssessing the Suitability of the Entity’s Cybersecurity ObjectivesRequesting a Written Assertion and Representations From ManagementConsidering Practitioner IndependenceConsidering the Competence of Engagement Team MembersEstablishing the Terms of the EngagementAccepting a Change in the Terms of the EngagementEstablishing an Overall Examination Strategy and Planning the ExaminationConsidering Materiality During PlanningPerforming Risk Assessment ProceduresObtaining an Understanding of the Entity’s Cybersecurity Risk Management Program and Controls Within That ProgramAssessing the Risk of Material MisstatementUnderstanding the Internal Audit FunctionPlanning to Use the Work of Internal AuditorsEvaluating the Competence, Objectivity, and Systematic Approach Used by Internal AuditorsDeterining the Extent to Which to Use the Work of Internal AuditorsCoordinating Procedures With the Internal AuditorsEvaluating Whether the Work of Internal Auditors is Adequate for the Practitioners’ PurposesPlanning to Use the Work of an Other PractitionerPlanning to Use the Work of a Practitioner’s Specialist
Chapter 3: Performing the Cybersecurity Risk Management Examination
Responding to Assessed Risks and Obtaining EvidenceConsidering Materiality in Responding to the Assessed Risks and Planning ProceduresDesigning Overall Responses to the Risk AssessmentObtaining Evidence About Whether the Description of the Entity’s Cybersecurity Risk Management Program Is Presented in Accordance With the Description CriteriaMateriality Considerations When Evaluating Whether the Description is Presented in Accordance With the Description CriteriaConsidering Whether the Description is Misstated or Otherwise MisleadingEvaluating the Description When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity’s Cybersecurity Risk Management ProgramProcedures to Obtain Evidence About the DescriptionConsidering the Suitability of the Entity’s Cybersecurity ObjectivesMateriality Considerations When Evaluating the Effectiveness of Controls to Achieve the Entity’s Cybersecurity ObjectivesObtaining and Evaluating Evidence About the Suitability of the Design of Controls to Achieve the Entity’s Cybersecurity ObjectivesIdentifying and Evaluating Deficiencies in the Suitability of Control DesignObtaining Evidence About the Operating Effectiveness of Controls to Achieve the Entity’s Cybersecurity ObjectivesDesigning and Performing Procedures to Evaluate the Operating Effectiveness of ControlsNature of Procedures to Evaluate the Effectiveness of ControlsEvaluating the Reliability of Information Produced by the EntityTiming of ProceduresExtent of ProceduresSelecting Items to Be TestedTesting Changes to ControlsRisk Mitigation and Control Considerations Related to Third PartiesControls Did Not Need to Operate During the Period Covered by the Practitioner’s ReportRevising the Risk AssessmentUsing the Work of a Practitioner’s SpecialistEvaluating the Results of ProceduresResponding to and Communicating Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control DeficienciesKnown or Suspected Fraud or Noncompliance With Laws or RegulationsCommunicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control DeficienciesObtaining Written Representations From ManagementRequested Written Representations Not Provided or Not ReliableSubsequent Events and Subsequently Discovered FactsSubsequent Events Unlikely to Have an Effect on the Practitioner’s OpinionDocumentationManagement’s Responsibilities at or Near Engagement CompletionModifying Management’s Assertion
Chapter 4: Forming the Opinion and Preparing the Practitioner’s Report
Responsibilities of the PractitionerForming the Practitioner’s OpinionConsidering the Sufficiency and Appropriateness of EvidenceConsidering Material Uncorrected Description Misstatements and DeficienciesExpressing an Opinion on the Subject Matters in the Cybersecurity Risk Management ExaminationPreparing the Practitioner’s ReportElements of the Practitioner’s ReportTailoring the Practitioner’s Report in a Design-Only ExaminationModifications to the Practitioner’s OpinionEmphasis of Certain MattersControls Did Not Operate During the Period Covered by the ReportMaterial MisstatementsQualified OpinionAdverse OpinionSeparate Paragraphs Because of Material Misstatements in the DescriptionSeparate Paragraphs Because of Material Deficiencies in the Effectiveness of Controls to Achieve the Entity’s Cybersecurity ObjectivesScope LimitationQualified OpinionDisclaimer of OpinionRestricting the Use of the Practitioner’s ReportRestricting Use When Required by Professional StandardsRestricting Use in Other SituationsDistribution of the ReportReporting When Using the Work of an Other PractitionerReporting When a Specialist is Used for the Cybersecurity Risk Management ExaminationReport DateOther Information
Appendix
A: Information for Entity Management
B: Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports

C: Description Criteria for Use in the Cybersecurity Risk Management Examination
D: Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination
E: Illustrative Management Assertion in the Cybersecurity Risk Management Examination
F-1: Illustrative Accountant’s Report in the Cybersecurity Risk Management Examination
F-2: Illustrative Accountant’s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity’s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time
G: Illustrative Cybersecurity Risk Management Report
H: Definitions
I: Overview of Statements on Quality Control Standards
Index of Pronouncements and Other Technical Guidance
Subject Index

Content preview from Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls

Chapter 3 Performing the Cybersecurity Risk Management Examination

This chapter discusses responding to the assessed risks, materiality considerations, and other matters affecting the nature, timing, and extent of the practitioner’s procedures to obtain sufficient appropriate evidence about whether (a) management’s description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and (b) the controls within that program were effective for the specified period of time to achieve the entity’s cybersecurity objectives.

Responding to Assessed Risks and Obtaining Evidence

3.01 Paragraphs .20–.21 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), require the practitioner to respond to the assessed risks when designing and performing examination procedures. Specifically, they require the practitioner to

design and implement overall responses to address the assessed risks of material misstatement and
design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement.

3.02 Paragraph .10 of AT-C section 105, Concepts Common to All Attestation Engagements (AIPCA, Professional Standards), defines a misstatement as follows:

A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Managing Risk and Information Security: Protect to Enable, Second Edition

Publisher Resources

ISBN: 9781943546725

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls

by American Institute of Certified Public Accountants

Chapter 3

Performing the Cybersecurity Risk Management Examination

Responding to Assessed Risks and Obtaining Evidence

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.