Cybersecurity and the AICPA Cybersecurity Attestation Project Chris Halterman Executive Director EY Chair AICPA Trust Information Integrity Task Force 2 October 2015
Increasing awareness of cybersecurity exposure for business and other entities Increased dependence on interconnected IT Transaction processing Increased value of information Acceptance of proof of identify in electronic form Cyber attacks have become more organized, profitable and persistent Cybersecurity has evolved into a critical business issue Page 2
Effective cybersecurity programs are now a necessity for most entities Goal of cybersecurity Supports integrity of system processing and the information stored on systems, including, but not limited to, systems and information significant to financial reporting Helps ensure systems and information are available when needed Reduces the risk of compromise of confidential information, including: Confidential personal information addressed by privacy laws and regulations Intellectual property and proprietary business data Page 3
Functions potentially involved in a cybersecurity program Board/those charged with governance CEO Senior management Risk management and compliance General counsel CFO/finance COO/operations CIO IT security Privacy office Others Page 4
Information regarding cybersecurity at an entity is needed Decision-makers include: Those charged with governance Investors Customers Business partners Regulators The information needed is mostly unique from what is needed for financial reporting purposes Page 5
Two distinct needs for cybersecurity information As it relates to financial reporting of entities: Impact of business risks on financial audit Impact of cybersecurity incidents on an entity s financial position and results As it relates to the business operations and compliance of entities: Evaluation of users risks Evaluation of the impact of entity s operations on users operations Page 6
AICPA/CAQ response Response of the profession in the US: Center for Audit Quality has been leading a discussion on the effect of cybersecurity on financial audits Separate and distinct from the AICPA cybersecurity attestation project Communication to firms AICPA has initiated a project to develop subject matter and attestation guidance for reporting on cybersecurity as it relates to the operations and compliance of an entity Page 7
Timeline of AICPA IT security auditing 1995: BS 7799 Predecessor of ISO 27001/27002 2000: BS 7799 adopted as ISO 17799 1992 1997 2002: Federal Information Security Management Act 1999 2003 2010 SysTrust Principles & criteria for systems reliability 2011 Trust Services Principles & Criteria SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SSAE 16 Reporting on Controls at a Service Organization 1974 1982 SAS 70 Service Organizations SAS 44 Special-Purpose Reports on Internal Accounting Control at Service Organizations WebTrust Principles & criteria for electronic commerce SAS 3 The Effects of EDP on the Auditor s Study and Evaluation of Internal Control Page 8
Current state of security attestation Trust services principles and criteria Updated 2014 Currently under revision for privacy criteria rewrite May be updated as a result of cybersecurity project Service organization reporting Principles Security Availability Processing Integrity Confidentiality Privacy Two different reports SOC 2 SOC 3 Page 9
CAQ communications to firms Auditor responsibilities Identifying and assessing the risk of material misstatement Understanding the nature of the entity and its environment Understanding the effect of IT on financial reporting and ICFR Consideration of financial statement misstatement risk Assessing the impact of any breaches on financial reporting and ICFR Page 10
Internal control and cybersecurity at an entity Objectives of internal control Components Control environment Risk assessment Information and communications Control activities Operations Security Change Management Entity level Division Operating unit Function System Monitoring activities Security controls addressed as part of a financial audit Page 11
AICPA cybersecurity attestation project Working group under the Assurance Services Executive Committee Support from the CAQ Member firm support Outreach to users and industry as the project develops Page 12
Existing security frameworks Many different security frameworks exist: Management frameworks establish defined processes for managing security ISO 27001 NIST Cybersecurity Framework for Critical Infrastructure Control frameworks establish guidance in implementing specific controls to address identified risks ISO 27002 and related NIST Special Publications (e.g., NIST SP 800-53) The trust services principles and criteria are a reporting framework used to evaluate the results of management processes and the controls they implement. Page 13
AICPA cybersecurity attestation project Goal Identify the information needed by users for decision-making Develop cybersecurity information subject to engagement Identify suitable criteria for evaluating the subject matter Develop practitioner guidance Page 14
Key considerations for practitioners Cybersecurity is a business issue with financial statement implications, affecting customers, business partners, investors and the public. Entities of all sizes and in all industries are affected. Practitioners need to be able to support stakeholders by: Assessing the impact of a cybersecurity incident on financial statements Providing independent assessments of cybersecurity risk management to concerned stakeholders Providing an independent perspective regarding the entity s cybersecurity risks and risk management program to those charged with governance and senior management Page 15
Cybersecurity report conceptual structure Management will provide useful information based on established criteria. Management will assert to the fairness of presentation of the information and the design and operating effectiveness of the controls related to cybersecurity. We are currently in the early stages of development. Page 16
Page 17 Questions?
Contact information Chris Halterman chris.halterman@ey.com +1 515 362 7026 EY 801 Grand Ave., Suite 3000 Des Moines, Iowa USA 50309 Page 18
EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2015 Ernst & Young LLP. All Rights Reserved. BSC No. 1509-1695230 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.