O'Reilly logo

Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls by American Institute of Certified Public Accountants

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 4

Forming the Opinion and Preparing the Practitioner’s Report

Responsibilities of the Practitioner

4.01 In the cybersecurity risk management examination, the practitioner is responsible for directly expressing an opinion, in a written report, on the following matters:

  1. Whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

  2. Whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

4.02 Because there are two distinct but complementary subject matters, the practitioner expresses an opinion on each in his or her report. Therefore, unless otherwise stated, a reference to the practitioner’s report in this chapter includes the practitioner’s responsibility to express an opinion on both the (1) description and (2) effectiveness of controls within the cybersecurity risk management program.

4.03 In some circumstances, management may engage the practitioner to perform an examination on the design of the controls rather than on their effectiveness. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required