Understanding and reporting on cyber risk has long posed a challenge for non-technical audit and compliance professionals. But CPAs, internal auditors, and other business professionals are increasingly being asked to weigh in on cyber risk and assist management in making well-informed risk management decisions in this area.

To better equip its members for this challenge, the AICPA’s Assurance Services Executive Committee (ASEC) today unveiled two sets of draft criteria related to cybersecurity risk management. At this point, the drafts are being released for public comment only, but they are another important sign of the increased emphasis being placed on cyber risk from all sides.

The first exposure draft, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, is intended for use by management in designing and describing its cybersecurity risk management program, and by public accounting firms to report on management’s description.

The second, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

“In response to growing market demand for information about the effectiveness of an entity’s cybersecurity risk management program, the auditing profession, through the AICPA, is developing a common foundation through the issuance of criteria and guidance,” said Susan S. Coffey, CPA, CGMA, AICPA executive vice president for public practice. “Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk management programs to stakeholders.”

The development of a common set of criteria will pave the way for the introduction of a new engagement that CPAs can use to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of an entity’s cybersecurity risk management program.

The exposure drafts will remain open for public comment until Monday, December 5.

Focal Point and its affiliates are uniquely positioned as an experienced consulting body poised to make sense of this complicated cyber risk management landscape. Our clients benefit from our deep background in cybersecurity, internal audit, and SOC attestation services, as well as our ability to speak directly to the concerns of senior management, boards of directors, and investors. We are closely tracking the progress of the AICPA’s guidance in this area.


Focal Point Data Risk, LLC (“Focal Point”) is associated with Sunera CPAs & Associates LLP (“Sunera CPAs”), a registered CPA firm through an alternative practice structure. The two companies are separate legal entities that work together to serve critical business needs. Focal Point offers risk management consulting services and is not a licensed CPA firm. Sunera CPAs & Associates LLP provides SOC attestation services.  Focal Point and Sunera CPAs are subsidiaries of Cyber Risk Management, LLC