Chapter 3

Performing the Cybersecurity Risk Management Examination

Responding to Assessed Risks and Obtaining Evidence

3.01 Paragraphs .20–.21 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), require the practitioner to respond to the assessed risks when designing and performing examination procedures. Specifically, they require the practitioner to

  1. design and implement overall responses to address the assessed risks of material misstatement and

  2. design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement.

3.02 Paragraph .10 of AT-C section 105, Concepts Common to All Attestation Engagements (AIPCA, Professional Standards), defines a misstatement as follows:

A difference between the measurement or evaluation of the subject matter by the responsible party and the proper measurement or evaluation of the subject matter based on the criteria. Misstatements can be ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.