Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls by American Institute of Certified Public Accountants

Subject Index

A

ACCEPTING OR CONTINUING AN ENGAGEMENT 2.03–.73

. Competence of engagement team members 2.70–.73

. Examination addressing portion of program 2.17–.23

. Independence of practitioner 2.66–.69

. Management’s acceptance of responsibilities 2.03–.07

. Management’s refusal to provide written assertion 2.64

. Preconditions of acceptance 2.01, 2.10–.14, 2.28, 2.30

. Reasonable basis for management’s assertion 2.28–.36

. Requesting written assertion and representation from management 2.62–.65

. Subject matter appropriateness 2.15–.36

. Suitability and availability of criteria 2.42–.54

. Suitability of cybersecurity objectives 2.55–.61

. Third-party considerations 2.37–.41

ACCESS CONTROL LISTS 3.65

ACCOUNTANT’S REPORT. See also opinion; practitioner’s report Appendix F-1, Appendix F-2, Appendix G

ADVERSE OPINION. See also opinion 3.37, 4.30–.31, Table at 4.20

ALERT PARAGRAPHS RESTRICTING USE OF ACCOUNTANT’S REPORTS 2.44, 2.78, 4.11, 4.49–.54

APPROPRIATENESS OF SUBJECT MATTER FOR EXAMINATION 2.15–.36

ASSURANCE SERVICES EXECUTIVE COMMITTEE (ASEC) 2.46

ATTESTATION ENGAGEMENT, GENERALLY. See also cybersecurity risk management examination 1.11

ATTESTATION STANDARDS

. Applicable standards 1.51–.55

. Coded of Professional Conduct 1.56

. Generally 1.09–.14

. Quality control standards and 1.57–.59

AUDIT SAMPLING 3.88–.91, 3.109–.110

AVAILABILITY OF CRITERIA 1.34, 2.42–.61

B

BOARD OF DIRECTORS 1.02, 1.04, 1.17, 1.22

BUSINESS OBJECTIVES 1.22–.26, 2.55, 2.57, 2.60

BUSINESS PARTNERS. ...