AICPA releases SOC for Cybersecurity Examination Guidelines

The AICPA has recently published a reporting framework for CPA firms to perform an assessment of an organization’s cybersecurity risk management program.  A SOC for Cybersecurity Report is an examination to provide stakeholders with information regarding an organization’s cybersecurity risk management program and controls. 

This examination report can provide a benefit to an organization both internally and externally.  Internally, the examination process and report can benefit senior management and the board of directors when evaluating their organization’s cybersecurity risk management program.  Externally, the report can provide information to analysts, investors, business partners and others who might be affected by the effectiveness of the organization’s cybersecurity risk management program and controls.

The AICPA is in the process of creating three reporting levels for the SOC for Cybersecurity Report: Entity, Service Provider, and Supply Chain.  Each reporting level will provide different benefits to user entities as follows:

Three Reporting Levels for the SOC for Cybersecurity Report

  • Entity Level: Provides transparency to key elements of an organization’s entity-wide cybersecurity risk management program.
  • Service Provider Level:  In addition to entity-level benefits, provides sufficient, detailed information to address user entities’ vendor risk management needs.
  • Supply Chain Level: In addition to entity-level benefits, provides sufficient, detailed information to address the user entities’ supply chain risk management needs.

The AICPA determined that the Entity-level reporting framework should be developed first.  (Both the Service Provider and Supply Chain level reports are still in the planning stages within the AICPA.)  

The following information pertains only to the Entity level report.

The Entity level of the SOC for Cybersecurity Report will comprise the following components:

  • Management’s Description: Similar to a SOC 2 examination, management’s description is a management-prepared narrative description of the entity’s cybersecurity risk management program.  The description is designed to provide information about how the entity identifies its sensitive information and systems, the ways in which the entity manages the cybersecurity risks that threaten it and a summary of controls implemented to protect the information and systems against those risks.
  • Management’s Assertion: Management provides an assertion that the description was presented in accordance with the description criteria and that the controls implemented as part of the program were effective to achieve the entity’s cybersecurity objectives.
  • The Practitioner’s Opinion: A CPA’s opinion on the description of the entity’s cybersecurity risk management program and the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

The AICPA has determined that a SOC for Cybersecurity Report can be completed using the revised Trust Services Criteria (2017), NIST Cybersecurity Framework, ISO Framework COBIT Framework or any additional framework as the control criteria, so long at the framework is suitable and appropriate in accordance with the AICPA’s attestation standards.  The AICPA is still in the process of releasing further information on the SOC for Cybersecurity Report process.  Keep an eye out for Schneider Downs’ upcoming Our Thoughts On articles to discuss the acceptable testing criteria as the AICPA releases additional information.

For more information on how Schneider Downs’ SOC and Cybersecurity Practice professionals can help your organization with your SOC for Cybersecurity program initiatives, please contact us.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Impersonation Attacks Targeting Microsoft Teams
ProLock Ransomware Attacks Overview and Mitigation Strategies
How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
Introducing the Schneider Downs Cybersecurity Newsletter
Ohio Unemployment Fraud Reporting Site under Attack
Stopping Ransomware Cold: Lessons from the Front Lines

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102