Cybersecurity and the AICPA Cybersecurity Attestation Project

Transcription

1 Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force 2 October 2015

2 Increasing awareness of cybersecurity exposure for business and other entities Increased dependence on interconnected IT Transaction processing Increased value of information Acceptance of proof of identify in electronic form Cyber attacks have become more organized, profitable and persistent Cybersecurity has evolved into a critical business issue Page 2

3 Effective cybersecurity programs are now a necessity for most entities Goal of cybersecurity Supports integrity of system processing and the information stored on systems, including, but not limited to, systems and information significant to financial reporting Helps ensure systems and information are available when needed Reduces the risk of compromise of confidential information, including: Confidential personal information addressed by privacy laws and regulations Intellectual property and proprietary business data Page 3

4 Functions potentially involved in a cybersecurity program Board/those charged with governance CEO Senior management Risk management and compliance General counsel CFO/finance COO/operations CIO IT security Privacy office Others Page 4

5 Information regarding cybersecurity at an entity is needed Decision-makers include: Those charged with governance Investors Customers Business partners Regulators The information needed is mostly unique from what is needed for financial reporting purposes Page 5

6 Two distinct needs for cybersecurity information As it relates to financial reporting of entities: Impact of business risks on financial audit Impact of cybersecurity incidents on an entity s financial position and results As it relates to the business operations and compliance of entities: Evaluation of users risks Evaluation of the impact of entity s operations on users operations Page 6

7 AICPA/CAQ response Response of the profession in the US: Center for Audit Quality has been leading a discussion on the effect of cybersecurity on financial audits Separate and distinct from the AICPA cybersecurity attestation project Communication to firms AICPA has initiated a project to develop subject matter and attestation guidance for reporting on cybersecurity as it relates to the operations and compliance of an entity Page 7

8 Timeline of AICPA IT security auditing 1995: BS 7799 Predecessor of ISO 27001/ : BS 7799 adopted as ISO : Federal Information Security Management Act SysTrust Principles & criteria for systems reliability 2011 Trust Services Principles & Criteria SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SSAE 16 Reporting on Controls at a Service Organization SAS 70 Service Organizations SAS 44 Special-Purpose Reports on Internal Accounting Control at Service Organizations WebTrust Principles & criteria for electronic commerce SAS 3 The Effects of EDP on the Auditor s Study and Evaluation of Internal Control Page 8

9 Current state of security attestation Trust services principles and criteria Updated 2014 Currently under revision for privacy criteria rewrite May be updated as a result of cybersecurity project Service organization reporting Principles Security Availability Processing Integrity Confidentiality Privacy Two different reports SOC 2 SOC 3 Page 9

10 CAQ communications to firms Auditor responsibilities Identifying and assessing the risk of material misstatement Understanding the nature of the entity and its environment Understanding the effect of IT on financial reporting and ICFR Consideration of financial statement misstatement risk Assessing the impact of any breaches on financial reporting and ICFR Page 10

11 Internal control and cybersecurity at an entity Objectives of internal control Components Control environment Risk assessment Information and communications Control activities Operations Security Change Management Entity level Division Operating unit Function System Monitoring activities Security controls addressed as part of a financial audit Page 11

12 AICPA cybersecurity attestation project Working group under the Assurance Services Executive Committee Support from the CAQ Member firm support Outreach to users and industry as the project develops Page 12

13 Existing security frameworks Many different security frameworks exist: Management frameworks establish defined processes for managing security ISO NIST Cybersecurity Framework for Critical Infrastructure Control frameworks establish guidance in implementing specific controls to address identified risks ISO and related NIST Special Publications (e.g., NIST SP ) The trust services principles and criteria are a reporting framework used to evaluate the results of management processes and the controls they implement. Page 13

14 AICPA cybersecurity attestation project Goal Identify the information needed by users for decision-making Develop cybersecurity information subject to engagement Identify suitable criteria for evaluating the subject matter Develop practitioner guidance Page 14

15 Key considerations for practitioners Cybersecurity is a business issue with financial statement implications, affecting customers, business partners, investors and the public. Entities of all sizes and in all industries are affected. Practitioners need to be able to support stakeholders by: Assessing the impact of a cybersecurity incident on financial statements Providing independent assessments of cybersecurity risk management to concerned stakeholders Providing an independent perspective regarding the entity s cybersecurity risks and risk management program to those charged with governance and senior management Page 15

16 Cybersecurity report conceptual structure Management will provide useful information based on established criteria. Management will assert to the fairness of presentation of the information and the design and operating effectiveness of the controls related to cybersecurity. We are currently in the early stages of development. Page 16

17 Page 17 Questions?

18 Contact information Chris Halterman EY 801 Grand Ave., Suite 3000 Des Moines, Iowa USA Page 18

19 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US Ernst & Young LLP. All Rights Reserved. BSC No This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.