Close
Close

On the Horizon -- AICPA introduces cybersecurity risk management reporting framework

RFP
Contents

SEC
   FAQs issued by Office of Structured Disclosure
AICPA
   Cybersecurity risk management reporting framework introduced
   Audit and accounting guides issued
   Employee benefit plans audit risk alert released
   Trust services criteria updated
   Technical auditing Q&As on business processes and internal control issued
GASB issues implementation guidance to clarify recent pronouncements




SEC

FAQs issued by Office of Structured Disclosure

On April 27, the staff of the SEC’s Office of Structured Disclosure released FAQs on the IFRS Taxonomy available for certain foreign private issuers that prepare their financial statements in accordance with IFRS Standards as issued by the IASB.

On the same day, the staff also added certain FAQs on Inline XBRL.




AICPA

Cybersecurity risk management reporting framework introduced

The AICPA introduced a new cybersecurity risk management reporting framework, which will create a common language that can be used to communicate about, and report on, cybersecurity risk management efforts. The framework suggests the need for three key pieces of cybersecurity information:

  • Management’s description of the organization’s cybersecurity risk management program
  • Management’s assertion about the program description and the effectiveness of the controls within that program
  • The CPA’s opinion about the description and control effectiveness

Two sets of criteria were issued to support this new framework:

  • Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program – Criteria to be used by management when describing cybersecurity risk management programs and by CPAs in their evaluation of management’s description
  • 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy – Criteria for the security, availability, and confidentiality for use by management and CPAs when evaluating the effectiveness of the controls in the cybersecurity risk management program in achieving the cybersecurity objectives

An attest guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” will be published in the near future to assist CPAs engaged to examine and report on an entity’s cybersecurity risk management program.

Audit and accounting guides issued

The AICPA issued updated versions of the following Audit and Accounting Guides (significant changes are highlighted below):

  • Government Auditing Standards and Single Audits
  • Prospective Financial Information - Updated to include guidance on performing attestation engagements on prospective financial information in accordance with the newly effective Standard for Attestation Engagements (SSAE) 18, Attestation Standards: Clarification and Recodification.
  • Revenue Recognition – Updated to include implementation issues for broker-dealer, gaming, health care, not-for-profit, and software industries. Additional implementation issues are included in Chapter 3, “Aerospace and Defense Entities,” and Chapter 4, “Asset Management.”

Employee benefit plans audit risk alert released

The AICPA issued an Audit Risk Alert, Employee Benefit Plans Industry Developments – 2017. The alert provides an overview of recent industry, technical, regulatory, and professional developments as well as future and emerging issues for auditors to consider.

Trust services criteria updated

The AICPA’s Assurance Services Executive Committee updated Trust Services Criteria to reflect the addition of TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. The guidance is useful in reporting on cybersecurity risk management engagements and SOC 2 and SOC 3 engagements. This edition revises the trust services criteria to

  • Align with the 2013 COSO Internal Control – Integrated Framework
  • Better address cybersecurity risks
  • Increase flexibility in application across an entire entity, including at a subsidiary, division, or operating unit level within a function relevant to an entity’s operational, reporting, or compliance objectives

Technical auditing Q&As on business processes and internal control issued

The AICPA issued the following new technical questions and answers (Q&As) on business processes and internal control under Technical Inquiry Service (TIS) Section 8200, Internal Control:

  • TIS Section 8200.17, “Obtaining an Understanding of Business Processes Relevant to Financial Reporting and Communication”
  • TIS Section 8200.18, “Obtaining an Understanding of Internal Control Relevant to the Audit”
  • TIS Section 8200.19, “Obtaining an Understanding of the Controls Relevant to the Audit”
  • TIS Section 8200.20, “Control Activities That Are Always Relevant to the Audit”
  • TIS Section 8200.21, “Control Activities That May Be Relevant to the Audit”



GASB issues implementation guidance to clarify recent pronouncements

The Governmental Accounting Standards Board (GASB) issued Implementation Guidance Update – 2017, which contains questions and answers intended to clarify, explain, or elaborate on GASB guidance.

The guide addresses a wide array of practice issues, including questions related to the GASB’s existing accounting and financial reporting guidance on

  • Cash flow reporting
  • The financial reporting entity
  • Pensions - plans and employers
  • Certain investments and external investment pools
  • Fund balance reporting and governmental fund type definitions
  • Tax-abatement disclosures

The guide also includes amendments to previously issued implementation guidance.

The requirements of the guide are effective for reporting periods beginning after June 15, 2017. Earlier application is encouraged if the guidance addressed by the guide has already been implemented.

State and local governments should adopt any changes to conform to the provisions of the guide retroactively. If retroactive restatement is not practicable, the cumulative effect, if any, of applying the provisions of the guide should be reported as a restatement of beginning net position (or fund balance or fund net position, as applicable).




© 2017 Grant Thornton LLP, U.S. member firm of Grant Thornton International Ltd. All rights reserved. This Grant Thornton LLP On the Horizon provides information and comments on current accounting and SEC reporting issues and developments. It is not a comprehensive analysis of the subject matter covered and is not intended to provide accounting or other advice or guidance with respect to the matters addressed in this publication. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this publication. For additional information on topics covered in this publication, contact a Grant Thornton client-service partner.