Safeguarding Clients’ Valuable Data: AICPA to Release Cybersecurity Framework Guidance

cybersecurityLast September, the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee announced that it would propose two separate frameworks to synthesize cybersecurity and the established concept of risk assessments and understanding of an entity’s internal controls.

The first AICPA cybersecurity proposal, “Management’s Description of an Entity’s Cybersecurity Risk Management Program,” was published as an Exposure Draft.  As the title implies, the proposal provides descriptive criteria that the management of organizations of various sizes and industries can use to assess and design the cybersecurity risk management framework, so that public accountants ultimately can attest to management’s description.  As with all frameworks, this proposal would provide CPAs and relevant users of the assessment a uniform, comprehensive way for identifying an entity’s information security risks and perceived cyber threats.

The second proposed framework, “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” is designated for public accountants to specifically assess the internal controls for information security and cyber threats.  Information security practice revolves around the “CIA” of information–Confidentiality (only those who are intended recipients may view the information), Integrity (the data retains its message and is free of alteration), and Availability (the data is available when you need it).  The proposed AICPA framework utilizes these cornerstones of information security, allowing public accountants to attest to an entity’s internal controls over information security and mitigate cyber threats.

The AICPA aims to provide public accounting professionals a framework and guidelines for reporting on an increasingly important segment of organizational risk.  The AICPA has continued to seek feedback and will revise the proposals based on information received from accounting and information technology professionals.  It also has launched a “Cybersecurity Resource Center,” which provides numerous resources, news updates, and information for CPAs interested in expanding their knowledge base in an ever-important area.

As the business world continues to rely on electronic storage and retrieval of data, maintaining the confidentiality, integrity, and availability of such data is crucial for protecting your business and customers.  It’s particularly important for CPAs to stay abreast of new developments in the area of cybersecurity to maintain their reputation as knowledgeable, ethical business consultants.  Large, well-known organizations regularly make headlines for falling victim to cyberattacks.  For smaller businesses, a crippling cybersecurity breach may cause irrevocable damage to the entity’s brand.  With that said, CPAs have a unique opportunity to leverage their business acumen to protect their clients’ information technology assets and provide crucial information security in an ever-uncertain economic climate.

Public accountants, primarily focused on financial reporting issues, must remain keenly aware of technology’s growing importance for a modern accounting system.  The scope of a traditional financial auditor has expanded, and accountants must be increasingly tech-savvy to provide clients with the most timely and comprehensive service.  This framework comes at a crucial time when the gulf between accounting and information technology is as narrow as ever.  Public accountants must use this guidance to better serve their clients’ needs and maintain secure and protected electronic financial systems.

At PYA, we will continue to evaluate these proposed frameworks and their impact on our Cyber Security Service Line.  In the meantime, PYA remains committed to helping our clients mitigate risk and enhance their cyber security.  If you have any questions about data security, or would like to request a speaker on this topic for your organization or event, contact one of our executives below at (800) 270-9629.

Barry Mathis

Barry Mathis


Mike Shamblin

Mike Shamblin

Managing Principal of Audit & Assurance Services

Related Posts
Large data breaches impacting millions regularly make news headlines; and, increasingly, small businesses are becoming frequent targets of cyberattacks.  In response, states across the country are beginning to introduce laws...
Read More

A Matter of Time: States Adopt New Cyber Security Requirements

Get Covered, Stay Covered, Get Paid Cyber attacks are something we simply must deal with in this day and age and during the course of our business practices—they happen.  And...
Read More

Cyber Liability Insurance: Getting or Keeping Your Policy Just Got Tougher

Thought leader and PYA Principal Barry Mathis recently was interviewed in an article, “Inertia Is a Risk with Myriad Security Resources; Overlap May Help.”  Published in the Report on Medicare...
Read More

Inertia Is a Risk with Myriad Security Resources; Overlap May Help

As compliance regulations and laws evolve and increase in number, many organizations – hospitals, home health agencies, skilled nursing facilities, physician practices, and third-party medical billing companies, among others –...
Read More
compliance risk assessments

Compliance Risk Assessments: The Foundation of Effective Compliance Programs

As a physician executive, I’ve learned a few solid lessons when it comes to change management.  A mantra that serves me well: We will make this simple, but it is...
Read More

Realizing the EHR Vision—When Simple Isn’t Always Easy– A Physician Executive’s Perspective

An article authored by PYA Principal Barry Mathis, a former hospital CIO, recently was featured in HIT Leaders & News.  “Lessons Learned from the ‘WannaCry’ Attacks” describes what happened and...
Read More
IT security

PYA’s Healthcare IT Security Article Featured in HIT Leaders & News

Thousands of computers across the globe were “held hostage” during the recent WannaCry ransomware attacks that encrypted files on Microsoft Windows operating systems that had not been either patched or...
Read More

‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop