Understanding the increasingly important role CPAs play as a trusted advisor, the American Institute of Certified Public Accountants (AICPA) released its guidance relating to a cybersecurity risk management reporting framework on April 26, 2017. The new SOC for Cybersecurity guidance provides a common language for organizations to use in describing their cybersecurity risk management program effectiveness. It will serve as the basis for CPAs to help boards of directors, senior management and other stakeholders gain a “better understanding of an organization’s enterprise-wide cybersecurity risk management program,” and for CPAs to examine and report on an entity’s cybersecurity measures. According to the AICPA, this guidance serves as “a natural extension of the CPA role.”
The new guidance provides a framework to help organizations better understand the core components of effective cybersecurity risk management. This enables organizations to report on their cybersecurity management programs to external stakeholders with the credibility associated with an independent examination report.
Establish stakeholder expectations for transparency and comprehension of your organization’s cybersecurity measures. Board members, customers and constituents, business partners, analysts, investors, and industry regulators may have slightly different perspectives, but all are concerned with cybersecurity. Make sure you factor in the expectations of each type of stakeholder and how you will communicate details of your cybersecurity management program.
Evaluate the description criteria and your current cybersecurity management program in the context of your ability to address the required elements.
Ensure that your organization has adopted a cybersecurity control framework to help guide the design and implementation of controls to address cybersecurity risks.
Consider engaging a CPA firm to assess your readiness to have cybersecurity controls examined.
The guidance defines two key elements to be addressed:
The guidance lays out nine categories to be included in the description of an organization’s cybersecurity program.
Within each of the nine categories, the final guidance presents 26 related points of focus to help explain relevant aspects of the organization’s cybersecurity risk management program. It’s important to note that in the preparation of an effective and efficient program description, management may not need to address each point of focus. The guidance recognizes that certain points may “not be suitable or relevant” in every circumstance. In some cases, factors may be considered that are not explicitly included among the description criteria. It is therefore incumbent upon the auditor to render an opinion on whether the description is fairly presented in accordance with the description criteria and an organization’s unique circumstances.
Several points of focus refer to cybersecurity controls that should be in place. Most significantly, the guidance suggests that management should leverage a recognized framework when implementing cybersecurity controls. The AICPA has updated the Trust Services Principles and Criteria description criteria for use as a cybersecurity control framework. Alternatively, other recognized cybersecurity frameworks can be used on the condition that they are determined to be “suitable criteria” according to examination standards.
The AICPA’s new SOC for Cybersecurity guidance provides a framework for an entity-wide cybersecurity examination engagement and new description criteria to help effectively and efficiently describe the cybersecurity risk management program. The scope of the SOC for Cybersecurity extends beyond existing SOC 2 reporting guidance. The majority of the controls applicable to a SOC 2 report would be applicable to a SOC for Cybersecurity examination; however, the SOC for Cybersecurity examination would likely include a much broader scope and require additional controls. Currently the AICPA “is in the process of revising the SOC 2 guide for service organizations. Once that project is completed, the AICPA will develop a new supply-chain/vendor risk management guide to address the supply-chain level.”
For more information, contact our team. You can also download our new ebook “Building a Sustainable Cybersecurity Management Program”.