אנו משתמשים ב-Cookies כדי לשפר את החוויה שלך. כדי לקיים ההנחיה החדשה של e-Privacy, עלינו לבקש את הסכמתך להגדיר את ה-Cookies. קבלת מידע נוסף.
551.00 ₪
Guide - Reporting on an EntityÂs Cybersecurity Risk Management Program and Controls, 2017
551.00 ₪
ISBN13
9781943546725
יצא לאור ב
NC
זמן אספקה
21 ימי עסקים
עמודים
288
פורמט
Paperback / softback
תאריך יציאה לאור
1 באוג׳ 2017
שם סדרה
AICPA
Created by the AICPA, this authoritative guide provides interpretative guidance to enable accountants to examine and report on an entity's cybersecurity risk managementprogram and controls within that program.
Created by the AICPA, this authoritative guide provides interpretative guidance to enable accountants to examine and report on an entity's cybersecurity risk managementprogram and controls within that program. The guide delivers a framework which has been designed to provide stakeolders with useful, credible information about the effectiveness of an entity's cybersecurity efforts.
| עמודים | 288 |
|---|---|
| פורמט | Paperback / softback |
| ISBN10 | 194354672X |
| יצא לאור ב | NC |
| תאריך יציאה לאור | 1 באוג׳ 2017 |
| תוכן עניינים | 1 Introduction and Background .01-.59 Introduction 01-.02 Potential Users of Cybersecurity Information and Their Interests .03-.07 Cybersecurity Risk Management Examination 08-.14 Difference Between Cybersecurity and Information Security 15-.17 Description of the Entity s Cybersecurity Risk Management Program 18-.26 The Entity s Cybersecurity Objectives .22-.26 Effectiveness of Controls Within the Entity s Cybersecurity Risk Management Program .27-.29 Overview of the Cybersecurity Risk Management Examination .30-.44 Other Information About the Cybersecurity Risk Management Examination .36 Time Frame of Examination .37 Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements 38 Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity s Cybersecurity Risk Management Program 39-.41 Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination) .42-.44 Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy .45-.50 SOC 2 Engagements .46-.48 Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement 49 Engagements Under the AICPA Consulting Standards .50 Professional Standards 51-.56 Attestation Standards .52-.55 Code of Professional Conduct .56 Quality in the Cybersecurity Risk Management Examination 57-.59 2 Accepting and Planning a Cybersecurity Risk Management Examination .01-.145 Introduction 01-.02 Understanding Management s Responsibilities .03-.07 Practitioner s Responsibilities 08 Accepting or Continuing an Engagement .09-.14 Preconditions of a Cybersecurity Risk Management Examination .10-.14 Determining Whether the Subject Matter is Appropriate for the Cybersecurity Risk Management Examination 15-.41 Determining Whether the Subject Matter of the Engagement is Appropriate When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity s Cybersecurity Risk Management Program 17-.23 Determining Whether the Subject Matter is Appropriate When the Examination Addresses Only the Suitability of the Design of Controls Within the Entity s Cybersecurity Risk Management Program (Design-Only Examination) .24-.27 Determining Whether Management is Likely to Have a Reasonable Basis for the Assertion 28-.36 Consideration of Third Parties .37-.41 Assessing the Suitability and Availability of Criteria and the Related Cybersecurity Objectives 42-.61 Description Criteria 45-.47 Control Criteria .48-.54 Assessing the Suitability of the Entity s Cybersecurity Objectives 55-.61 Requesting a Written Assertion and Representations From Management 62-.65 Considering Practitioner Independence .66-.69 Considering the Competence of Engagement Team Members 70-.73 Establishing the Terms of the Engagement .74-.85 Accepting a Change in the Terms of the Engagement .81-.85 Establishing an Overall Examination Strategy and Planning the Examination 86-.99 Considering Materiality During Planning 94-.99 Performing Risk Assessment Procedures .100-.110 Obtaining an Understanding of the Entity s Cybersecurity Risk Management Program and Controls Within That Program 100-.103 Assessing the Risk of Material Misstatement .104-.110 Understanding the Internal Audit Function .111-.115 Planning to Use the Work of Internal Auditors 116-.131 Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors 118-.123 Deterining the Extent to Which to Use the Work of Internal Auditors 124-.125 Coordinating Procedures With the Internal Auditors 126-.130 Evaluating Whether the Work of Internal Auditors is Adequate for the Practitioners Purposes 131 Planning to Use the Work of an Other Practitioner 132-.138 Planning to Use the Work of a Practitioner s Specialist 139-.145 3 Performing the Cybersecurity Risk Management Examination .01-.156 Responding to Assessed Risks and Obtaining Evidence .01-.13 Considering Materiality in Responding to the Assessed Risks and Planning Procedures 04-.08 Designing Overall Responses to the Risk Assessment .09-.13 Obtaining Evidence About Whether the Description of the Entity s Cybersecurity Risk Management Program Is Presented in Accordance With the Description Criteria .14-.37 Materiality Considerations When Evaluating Whether the Description is Presented in Accordance With the Description Criteria .19-.21 Considering Whether the Description is Misstated or Otherwise Misleading 22-.26 Evaluating the Description When the Cybersecurity Risk Management Examination Addresses Only a Portion of the Entity s Cybersecurity Risk Management Program 27-.28 Procedures to Obtain Evidence About the Description .29-.33 Considering the Suitability of the Entity s Cybersecurity Objectives 34-.37 Materiality Considerations When Evaluating the Effectiveness of Controls to Achieve the Entity s Cybersecurity Objectives .38-.42 Obtaining and Evaluating Evidence About the Suitability of the Design of Controls to Achieve the Entity s Cybersecurity Objectives 43-.56 Identifying and Evaluating Deficiencies in the Suitability of Control Design 55-.56 Obtaining Evidence About the Operating Effectiveness of Controls to Achieve the Entity s Cybersecurity Objectives 57-.92 Designing and Performing Procedures to Evaluate the Operating Effectiveness of Controls .60-.62 Nature of Procedures to Evaluate the Effectiveness of Controls .63-.69 Evaluating the Reliability of Information Produced by the Entity 70-.78 Timing of Procedures .79-.82 Extent of Procedures 83-.89 Selecting Items to Be Tested .90-.91 Testing Changes to Controls .92 Risk Mitigation and Control Considerations Related to Third Parties .93-.98 Controls Did Not Need to Operate During the Period Covered by the Practitioner s Report .99 Revising the Risk Assessment 100 Using the Work of Internal Auditors 101-.113 Using the Work of a Practitioner s Specialist .114-.116 Evaluating the Results of Procedures 117-.123 Responding to and Communicating Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies 124-.130 Known or Suspected Fraud or Noncompliance With Laws or Regulations 124-.126 Communicating Incidents of Known or Suspected Fraud,Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .127-.130 Obtaining Written Representations From Management .131-.146 Requested Written Representations Not Provided or Not Reliable .136-.138 Subsequent Events and Subsequently Discovered Facts 139-.145 Subsequent Events Unlikely to Have an Effect on the Practitioner s Opinion .146 Documentation 147-.151 Management s Responsibilities at or Near Engagement Completion 152-.156 Modifying Management s Assertion .153-.156 4 Forming the Opinion and Preparing the Practitioner s Report .01-.65 Responsibilities of the Practitioner 01-.03 Forming the Practitioner s Opinion 04-.11 Considering the Sufficiency and Appropriateness of Evidence 05 Considering Material Uncorrected Description Misstatements and Deficiencies 06-.08 Expressing an Opinion on the Subject Matters in the Cybersecurity Risk Management Examination 09-.11 Preparing the Practitioner s Report 12-.15 Elements of the Practitioner s Report .12-.13 Tailoring the Practitioner s Report in a Design-Only Examination .14-.15 Modifications to the Practitioner s Opinion 16-.25 Emphasis of Certain Matters 22-.23 Controls Did Not Operate During the Period Covered by the Report 24-.25 Material Misstatements 26-.41 Qualified Opinion 27-.29 Adverse Opinion 30-.31 Separate Paragraphs Because of Material Misstatements in the Description 32-.37 Separate Paragraphs Because of Material Deficiencies in the Effectiveness of Controls to Achieve the Entity s Cybersecurity Objectives 38-.41 Scope Limitation 42-.48 Qualified Opinion 45-.47 Disclaimer of Opinion .48 Restricting the Use of the Practitioner s Report 49-.55 Restricting Use When Required by Professional Standards .49-.53 Restricting Use in Other Situations 54-.55 Distribution of the Report .56-.58 Reporting When Using the Work of an Other Practitioner .59 Reporting When a Specialist is Used for the Cybersecurity Risk Management Examination 60 Report Date 61 Other Information .62-.65 Appendix A Information for Entity Management B Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports C Description Criteria for Use in the Cybersecurity Risk Management Examination D Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination E Illustrative Management Assertion in the Cybersecurity Risk Management Examination F-1 Illustrative Accountant s Report in the Cybersecurity Risk Management Examination F-2 Illustrative Accountant s Report in a Cybersecurity Risk Management Examination that Addresses Only the Suitability of the Design of Controls Implemented Within the Entity s Cybersecurity Risk Management Program (Design-Only Report) as of a Point in Time G Illustrative Cybersecurity Risk Management Report H Definitions I Overview of Statements on Quality Control Standards Index of Pronouncements andOther Technical Guidance Subject Index |
| זמן אספקה | 21 ימי עסקים |
Login and Registration Form