Cybersecurity Reporting and Assurance Workshop
Friday, November 30, 2018
CPA Canada, 277 Wellington Street West, Toronto, Canada
10:00 am – 3:00 pm
Register now to avoid disappointment. Space is limited to 20 participants.
CPD Certificates will be issued.
Registration fee of $600 (+HST) includes all materials, lunch and refreshments.
Cybercrime is fast becoming one of the most significant economic issues affecting businesses, public sector organizations and individuals around the world. Security breaches leading to theft of confidential information can lead to financial losses, reputational damage, diminished stakeholder confidence, lost opportunities, and potential regulatory penalties. Thus, cybersecurity is receiving an increasing amount of attention by the business community, legislators and regulatory agencies. Accordingly, cybersecurity governance, control, reporting and assurance are important agenda items for accounting and auditing academics and practitioners to address.
Because of the CPA profession’s long history with external reporting on many different topics (e.g., financial statements, compliance with governmental regulations, controls over IT systems), the Association of International Certified Professional Accountants (AICPA), with the support of the Center for Audit Quality, initiated a project to identify what the CPA’s service and related external reporting on cybersecurity risk management might look like. The approach includes:
- A management-prepared, narrative description of the entity’s cybersecurity risk management program.
- Management’s assertion/statement that the description was presented in accordance with the description criteria and the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
- A CPA’s opinion on whether the description was presented in accordance with the description criteria (i.e., its completeness and accuracy) and the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Format/Structure of the Workshop
A combination of presentations by workshop leaders, table group exercises and open discussion will be used. Participants will need to bring laptops or other devices suitable for downloading and reading web based content.
The workshop leaders are involved in developing the AICPA’s Cybersecurity Initiative, including the criteria for evaluating the completeness and accuracy of the description of the entity’s cybersecurity risk management program, the criteria for evaluating the effectiveness of controls included in that program and guidance on performing an assurance engagement of an entity’s cybersecurity risk management program.
What’s it all about? The purpose of this workshop is to explore a cybersecurity assurance engagement that will serve as the foundation for a profession-wide approach for reporting on an entity’s cybersecurity risk management program. All materials for the workshop will be supplied, including relevant AICPA and CPA Canada publications such as:
- AICPA Guide - Reporting on an Entity’s Cybersecurity Risk Management Program and Controls - SOC for Cybersecurity,
- CPA Canada Guide - Reporting on an Entity’s Cybersecurity Risk Management Program and Controls - SOC For Cyberseurity,
- AICPA Description Criteria, and
- AICPA Trust Services Principles and Criteria.
Who should attend? This workshop would be useful to practitioners who are interested in developing services in this area, including readiness engagements. Participants should have a basic understanding of the AICPA's Attestation Standards, CPA Canada's Canadian Standard on Assurance Engagements (CASE) 3000 and familiarity with COSO and the AICPA's Trust Services Criteria.
After completing this workshop an attendee will be able to:
- describe the rationale/demand for a cybersecurity assurance engagement,
- identify standards and frameworks applicable to cybersecurity assurance engagements, including NIST CSF, COSO, AICPA DC and TSC and other relevant frameworks
- describe key elements of a cybersecurity risk management program assurance engagement on cybersecurity,
- describe the criteria for preparing and evaluating a description of an entity’s cybersecurity risk management program, including an illustrative example of such a description,
- describe the criteria for testing and evaluating the effectiveness of controls implemented to achieve the entity’s cybersecurity objectives (a combination of COSO-based and Trust Services based entity level criteria developed specifically for cybersecurity assurance engagements),
- describe issues in establishing materiality, designing tests of controls and evaluating the results of testing,
- explain the reporting on the results of the cybersecurity assurance engagement, and
- identify sources for educational materials that can be used in the Auditing and AIS courses.
Prior to the session, participants should visit the AICPA's website containing materials related to the AICPA Cybersecurity Initiative and review the materials found there.
J. Efrim Boritz, Professor, University of Waterloo and Member of the AICPA Trust Information Integrity Task Force.