ALERT: AICPA releases final guidance on SOC for Cybersecurity

Guidance focuses on cybersecurity risk management reporting framework; organizations should assess readiness and controls now

Understanding the increasingly important role CPAs play as a trusted advisor, the American Institute of Certified Public Accountants (AICPA) released its guidance relating to a cybersecurity risk management reporting framework on April 26, 2017. The new SOC for Cybersecurity guidance provides a common language for organizations to use in describing their cybersecurity risk management program effectiveness. It will serve as the basis for CPAs to help boards of directors, senior management and other stakeholders gain a “better understanding of an organization’s enterprise-wide cybersecurity risk management program,” and for CPAs to examine and report on an entity’s cybersecurity measures. According to the AICPA, this guidance serves as “a natural extension of the CPA role.”

Why this is important

The new guidance provides a framework to help organizations better understand the core components of effective cybersecurity risk management. This enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.

What to do now

Establish stakeholder expectations for transparency and comprehension of your organization’s cybersecurity measures. Board members, customers and constituents, business partners, analysts, investors, and industry regulators may have slightly different perspectives, but all are concerned with cybersecurity. Make sure you factor in the expectations of each type of stakeholder and how you will communicate details of your cybersecurity management program.
Evaluate the description criteria and your current cybersecurity management program in the context of your ability to address the required elements.
Ensure that your organization has adopted a cybersecurity control framework to help guide the design and implementation of controls to address cybersecurity risks.
Consider engaging a CPA firm to assess your readiness to have cybersecurity controls examined.

What you need to know

The guidance defines two key elements to be addressed:

  • An account of the organization’s cybersecurity risk management program according to description criteria outlined in the AICPA guidance. The description is intended to provide a comprehensive understanding of the cybersecurity risks affecting a particular entity and the processes and controls the entity has implemented to manage those risks.
  • An assessment of the effectiveness of systems, tools and processes designed to protect an organization from security events based on the control criteria established in the AICPA guidance.

Description criteria

The guidance lays out nine categories to be included in the description of an organization’s cybersecurity program.

  1. Nature of the business and operations
  2. Nature of information at risk
  3. Cybersecurity risk management program objectives
  4. Factors that have a significant effect on inherent risks related to the use of technology
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and quality of cybersecurity information
  8. Monitoring of the cybersecurity risk management program
  9. Cybersecurity control processes

Within each of the nine categories, the final guidance presents 26 related points of focus to help explain relevant aspects of the organization’s cybersecurity risk management program. It’s important to note that in the preparation of an effective and efficient program description, management may not need to address each point of focus. The guidance recognizes that certain points may “not be suitable or relevant” in every circumstance. In some cases, factors may be considered that are not explicitly included among the description criteria. It is therefore incumbent upon the auditor to render an opinion on whether the description is fairly presented in accordance with the description criteria and an organization’s unique circumstances.

Control criteria

Several points of focus refer to cybersecurity controls that should be in place. Most significantly, the guidance suggests that management should leverage a recognized framework when implementing cybersecurity controls. The AICPA has updated the Trust Services Principles and Criteria description criteria for use as a cybersecurity control framework. Alternatively, other recognized cybersecurity frameworks can be used on the condition that they are determined to be “suitable criteria” according to examination standards.

How is this different from a SOC 2®?

The AICPA’s new SOC for Cybersecurity guidance provides a framework for an entity-wide cybersecurity examination engagement and new description criteria to help effectively and efficiently describe the cybersecurity risk management program. The scope of the SOC for Cybersecurity extends beyond existing SOC 2 reporting guidance. The majority of the controls applicable to a SOC 2 report would be applicable to a SOC for Cybersecurity examination; however, the SOC for Cybersecurity examination would likely include a much broader scope and require additional controls. Currently the AICPA “is in the process of revising the SOC 2 guide for service organizations. Once that project is completed, the AICPA will develop a new supply-chain/vendor risk management guide to address the supply-chain level.”

For more information, contact Baker Tilly’s Cybersecurity & IT Risk practice. You can also download our new ebook “Building a Sustainable Cybersecurity Management Program” here.