Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls by American Institute of Certified Public Accountants

Notes

Preface

¹ All AT-C sections can be found in AICPA Professional Standards.

² Statement on Standards for Attestation Engagements No. 18, Attestation Standards: Clarification and Recodification (AICPA, Professional Standards), is effective for practitioners reports dated on or after May 1, 2017.

³ This exception is not available in the cybersecurity risk management examination discussed in this guide. See footnote 7 in chapter 2, “Accepting and Planning a Cybersecurity Risk Management Examination,” of this guide.

Chapter 1: Introduction and Background

¹ This guide uses the term board members to refer to the governing body of an entity, which may take the form of a board of directors or supervisory board for a corporation, board of trustees for a not-for-profit entity, board of governors or commissioners for government entities, general partners for a partnership, or owner for a small business.

² Some business partners may need a detailed understanding of controls implemented by the entity and the operating effectiveness of those controls to enable them to design and operate their own control activities. For example, business partners whose IT systems are interconnected with systems at the entity may need to understand the specific logical access protection over the interconnected systems implemented by the entity.

This guide is not intended to meet the needs of business partners who need a detailed understanding of the entitys specific controls and their operating effectiveness. ...