The New AICPA Cybersecurity Risk Management Framework

As detailed in Buchbinder’s webinar on cybersecurity in March, the American Institute of Certified Public Accountants (AICPA) has released its Cybersecurity Risk Management Framework to help organizations meet the growing cybersecurity challenge, and provide a framework for CPAs to examine and report on a client’s cybersecurity controls.

The framework includes three resources that support the framework as follows:

  • Description criteria that management can use to explain the organization’s cybersecurity risk management program.
  • Control criteria that CPAs providing advisory or attest services can use to evaluate and report on the effectiveness of the controls within an organization’s cybersecurity program.
  • The attest guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, which will be used to assist CPAs to examine and report on an organization’s cybersecurity program. This will be released later in May.

The overall description and control criteria contain 9 description criteria objectives organized into the following high level groupings.

  • Nature of Business and Operations. Disclosures about the nature of the entity’s business.
  • Nature of Information at Risk. Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses, and stores that is susceptible to cybersecurity risk.
  • Cybersecurity Risk Management Program Objectives. Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, and integrity of data.
  • Factors That Have a Significant Effect on Inherent Cybersecurity Risks. Disclosures about factors that have a significant effect on the entity’s inherent cybersecurity risks.
  • Cybersecurity Risk Governance Structure. Disclosures about the entity’s cybersecurity risk governance and management structure.
  • Cybersecurity Risk Assessment Process. Disclosures related to the entity’s process for (1) identifying cybersecurity risks, (2) assessing the related risks to the achievement of the entity’s cybersecurity objectives, and (3) identifying, assessing, and managing the risks associated with vendors and business partners.
  • Cybersecurity Communications and the Quality of Cybersecurity Information. Disclosures about the entity’s process for communicating cybersecurity objectives, expectations, and responsibilities.
  • Monitoring of the Cybersecurity Risk Management Program. Disclosure information of the process to assess the effectiveness of controls over its cybersecurity risk management program.
  • Cybersecurity Control Processes. Disclosures about (1) the entity’s process for developing a response to assessed risks, (2) the entity’s IT infrastructure, and (3) the key security policies and processes implemented and operated to address the entity’s cybersecurity risks.

This model allows organizations and CPAs to assess and report on cybersecurity risks in a consistent manner across all organizations.

For more information, please contact Michael Pinna at (212) 896-1896 or

Join Our Newsletter

Sign up to receive exclusive newsletters with the latest information affecting you and your organization.

Posted in