The document discusses a new System and Organization Controls for Cybersecurity (SOC for Cybersecurity) report introduced by the American Institute of Certified Public Accountants (AICPA) to address the growing need for evaluating and reporting on cybersecurity risk management. Certified public accountants will use the SOC for Cybersecurity report to evaluate entities' cybersecurity risk management programs, similar to how SOC 1 and SOC 2 reports evaluate control environments. The report consists of management providing a description of its cybersecurity risk management program and controls, and an audit professional opining on whether the description meets criteria and whether controls effectively achieve cybersecurity objectives. A SOC for Cybersecurity report can be used to address concerns from boards, management, analysts, investors,
1. ADVISORY
MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that is a member of Kreston International Limited, a global network of independent accounting firms.
Learn more at www.mhmcpa.com
Our roots run deep
As the world, organizations and individuals become increasingly more information technology and internet
dependent and inter-connected with other organizations and individuals, cybersecurity poses one of the
largest threats in the current operating environment.
AICPA Introduces the SOC Report for Cybersecurity
Extending beyond the information technology sphere,
information security incidents and data breaches are a
daily occurrence in the news and can do major damage to
operations. The recent WannaCry ransomware incident hit
hospitals in Great Britain, telecom providers in Spain and
major companies in China, the United States and several
other countries. It locked users out of critical systems,
grinding business—and in the case of the hospitals, patient
care—to a halt.
In this environment, organizations are required to focus
more attention on evaluating their Cybersecurity protocol
as part of their approach to risk management. At the
same, organizations are being asked to respond to
inquiries about their cybersecurity risk management from
their boards and executive management, and external
stakeholders, such as analysts, investors, business
partners, customers and regulators. In order to address
the needs for evaluation and assurance reporting on
Cybersecurity Risk Management for internal and external
stakeholders, the AICPA recently issued a new System and
Organization Controls for Cybersecurity report. Certified
public accountants (CPAs) will use the report to evaluate
entities’ cybersecurity risk management programs, similar
to the process used to evaluate an organization’s control
environments in SOC 1 and SOC 2 reports.
The SOC for Cybersecurity Report
As part of the report, CPAs will look at two elements: the
description of an entity’s cybersecurity risk management
program and the effectiveness of controls within that
program to achieve cybersecurity objectives.
Management will be asked to provide a description of
their cybersecurity risk management and information
security programs, and control environments, including
the assets or data protected by the program and the
processes the organization undertakes to protect the
assets from cybersecurity risks. The AICPA has provided
description criteria to assist management in preparing
the description and providing a common disclosure
framework that is designed to meet the information
needs of a board range of internal and external
stakeholders.
An organization’s management will also be asked to
provide an assertion, either at a point in time or for
a specified period of time to determine whether the
description meets the AICPA’s criteria. Management will
also include an assertion on the suitability of design
and operating effectiveness of its internal controls in
meeting its cybersecurity objectives. As part of the
examination, the CPA will evaluate the suitability of
design and operating effectiveness of the organization’s
controls either against the AICPA’s Trust Service
criteria or at the organization’s request against other
commonly acceptable control criteria, such as the NIST
Critical Information Cybersecurity Framework and ISO
27001/27002.
An audit professional then opines on whether
management’s cybersecurity protocol description meets
the AICPA’s criteria and whether cybersecurity controls
effectively achieve the AICPA’s or other commonly
accepted control criteria.