(Updated as of May 1, 2017)
This AICPA Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, has been developed by the AICPA’s Assurance Services Executive Committee (ASEC) Cybersecurity Working Group, in conjunction with the Auditing Standards Board (ASB), to assist practitioners engaged to examine and report on an entity’s cybersecurity risk management program.
This guide is recognized as an interpretive publication as described in AT-C section 105, Concepts Common to All Attestation Engagements.1 Interpretative publications are recommendations on the application of Statements on Standards for Attestation Engagements (SSAEs) in specific circumstances, including engagements for entities in specialized industries. The SSAEs are also known as the attestation standards.
Interpretive publications are issued under the authority of the ASB after all ASB members have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the SSAEs. The members of the ASB have found the attestation guidance in this guide to be consistent with the SSAEs.
Although interpretive publications are not attestation standards, AT-C section 105 requires the practitioner to consider applicable interpretive publications in planning and performing an attestation engagement because interpretive publications are relevant to the proper application of the SSAEs in specific circumstances. If the practitioner ...