Last September, the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee announced that it would propose two separate frameworks to synthesize cybersecurity and the established concept of risk assessments and understanding of an entity’s internal controls.
The first AICPA cybersecurity proposal, “Management’s Description of an Entity’s Cybersecurity Risk Management Program,” was published as an Exposure Draft. As the title implies, the proposal provides descriptive criteria that the management of organizations of various sizes and industries can use to assess and design the cybersecurity risk management framework, so that public accountants ultimately can attest to management’s description. As with all frameworks, this proposal would provide CPAs and relevant users of the assessment a uniform, comprehensive way for identifying an entity’s information security risks and perceived cyber threats.
The second proposed framework, “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,” is designated for public accountants to specifically assess the internal controls for information security and cyber threats. Information security practice revolves around the “CIA” of information–Confidentiality (only those who are intended recipients may view the information), Integrity (the data retains its message and is free of alteration), and Availability (the data is available when you need it). The proposed AICPA framework utilizes these cornerstones of information security, allowing public accountants to attest to an entity’s internal controls over information security and mitigate cyber threats.
The AICPA aims to provide public accounting professionals a framework and guidelines for reporting on an increasingly important segment of organizational risk. The AICPA has continued to seek feedback and will revise the proposals based on information received from accounting and information technology professionals. It also has launched a “Cybersecurity Resource Center,” which provides numerous resources, news updates, and information for CPAs interested in expanding their knowledge base in an ever-important area.
As the business world continues to rely on electronic storage and retrieval of data, maintaining the confidentiality, integrity, and availability of such data is crucial for protecting your business and customers. It’s particularly important for CPAs to stay abreast of new developments in the area of cybersecurity to maintain their reputation as knowledgeable, ethical business consultants. Large, well-known organizations regularly make headlines for falling victim to cyberattacks. For smaller businesses, a crippling cybersecurity breach may cause irrevocable damage to the entity’s brand. With that said, CPAs have a unique opportunity to leverage their business acumen to protect their clients’ information technology assets and provide crucial information security in an ever-uncertain economic climate.
Public accountants, primarily focused on financial reporting issues, must remain keenly aware of technology’s growing importance for a modern accounting system. The scope of a traditional financial auditor has expanded, and accountants must be increasingly tech-savvy to provide clients with the most timely and comprehensive service. This framework comes at a crucial time when the gulf between accounting and information technology is as narrow as ever. Public accountants must use this guidance to better serve their clients’ needs and maintain secure and protected electronic financial systems.
At PYA, we will continue to evaluate these proposed frameworks and their impact on our Cyber Security Service Line. In the meantime, PYA remains committed to helping our clients mitigate risk and enhance their cyber security. If you have any questions about data security, or would like to request a speaker on this topic for your organization or event, contact one of our executives below at (800) 270-9629.