Page 41 - CITP Review
P. 41
identifies and handles its information assets, how it manages cybersecurity risks, and the security
processes and policies in place. The description allows users to understand management’s
conclusions as well as those of the practitioner in the report. Management uses the description
criteria to prepare and evaluate an entity's cybersecurity risk management program.
Management's assertion. The second component is an assertion provided by management, which
may be as of a point in time or for a specified period of time. Specifically, the assertion addresses
whether
– the description is presented in accordance with the description criteria, and
– the controls within the entity's cybersecurity risk management program were sufficient to meet
the entity's cybersecurity objectives based on the control criteria.
Practitioner's report. The third component is a practitioner's report, which contains an opinion that
addresses both subject matters in the examination. Specifically, the opinion addresses whether
– the description is presented in accordance with the description criteria, and
– the controls within the entity's cybersecurity risk management program were sufficient to meet
the entity's cybersecurity objectives based on the control criteria.
Target audiences
Members of a board of directors (board members) need information about the cybersecurity risks an
entity faces and the cybersecurity risk management program that management implements to help them
fulfill their oversight responsibilities. They may also request an evaluation from an independent third-
party assessor to determine management's effectiveness in managing cybersecurity risks.
Others may also need information about an entity's cybersecurity risks and its cybersecurity risk
management program to make informed decisions. Those who need such information may include the
following:
Analysts and investors may benefit from information about an entity's cybersecurity risk
management program. This information is intended to help them understand the cybersecurity risks
that could threaten the achievement of the entity's operational, reporting, and compliance (legal and
regulatory) objectives and, consequently, have an adverse impact on the entity's value and stock
price.
Business partners may need information regarding the entity's cybersecurity risk management
program to help in their overall risk assessment. This information is intended to help business
partners determine matters such as whether there is a need for multiple suppliers for a good or
service and the extent to which they choose to extend credit to the entity.
Some industry regulators may benefit from information about an entity's cybersecurity risk
management program to support their oversight role.
Analysts, investors, business partners, and regulators recognize that entity management is responsible
for identifying, assessing, and mitigating cybersecurity risks. Many, however, are not in a position to
require management to provide information about an entity's cybersecurity measures to enable them to
make better decisions; they must rely on publicly available information, such as that found in general
purpose reports or regulatory filings, to meet their needs. In response to requests from these third
parties, corporate directors and senior management have begun requesting general purpose reports
© 2019 Association of International Certified Professional Accountants. All rights reserved. 1-33
