Page 161 - CITP Review
P. 161

7.
                a.  Correct. The board of directors need information about the cybersecurity risks an entity
                    faces and the cybersecurity risk management program that management implements to
                    help them fulfill their oversight responsibilities. They may also request an evaluation
                    from an independent third-party assessor to determine management's effectiveness in
                    managing cybersecurity risks.

                b.  Incorrect. Analysts and investors may benefit from information about an entity’s
                    cybersecurity risk management program, but they are not in a position to require
                    management to provide information about an entity's cybersecurity measures. They
                    must rely on publicly available information.
                c.  Incorrect. Business partners may need information regarding the entity's cybersecurity
                    risk management program to help in their overall risk assessment, but they are not in a
                    position to require management to provide that information.. They must rely on publicly
                    available information.
                d.  Incorrect. Industry regulators may benefit from information about an entity's
                    cybersecurity risk management program to support their oversight role, but they are not
                    in a position to require management to provide it .

            8.

                a.  Incorrect. A GAAP audit represents an attestation not an advisory service engagement.
                b.  Correct. A readiness assessment is an advisory service a CITP may perform for ABC
                    company to prepare the organization for a subsequent SOC for Cybersecurity
                    engagement.

                c.  Incorrect. A SOC for Cybersecurity engagement represents an attestation not an
                    advisory service engagement.
                d.  Incorrect. An examination is an attest service, not an advisory service.

            9.
                a.  Correct. An SOC for Cybersecurity engagement is an example of a cybersecurity attest
                    service that may be performed by a CITP for ABC company.

                b.  Incorrect. A readiness assessment is an example of a cybersecurity advisory service that
                    may be performed by a CITP for ABC company.

                c.  Incorrect. A GAAP audit is an example of a non-cybersecurity (financial) attest service
                    that may be performed by a CITP for ABC company.

                d.  Incorrect. A security risk assessment is an example of a cybersecurity advisory service,
                    not a cybersecurity attest service.












            © 2019 Association of International Certified Professional Accountants. All rights reserved.    Solutions 3
   156   157   158   159   160   161   162   163   164   165   166