The AICPA has recently published a reporting framework for CPA firms to perform an assessment of an organization’s cybersecurity risk management program. A SOC for Cybersecurity Report is an examination to provide stakeholders with information regarding an organization’s cybersecurity risk management program and controls.
This examination report can provide a benefit to an organization both internally and externally. Internally, the examination process and report can benefit senior management and the board of directors when evaluating their organization’s cybersecurity risk management program. Externally, the report can provide information to analysts, investors, business partners and others who might be affected by the effectiveness of the organization’s cybersecurity risk management program and controls.
The AICPA is in the process of creating three reporting levels for the SOC for Cybersecurity Report: Entity, Service Provider, and Supply Chain. Each reporting level will provide different benefits to user entities as follows:
Three Reporting Levels for the SOC for Cybersecurity Report
- Entity Level: Provides transparency to key elements of an organization’s entity-wide cybersecurity risk management program.
- Service Provider Level: In addition to entity-level benefits, provides sufficient, detailed information to address user entities’ vendor risk management needs.
- Supply Chain Level: In addition to entity-level benefits, provides sufficient, detailed information to address the user entities’ supply chain risk management needs.
The AICPA determined that the Entity-level reporting framework should be developed first. (Both the Service Provider and Supply Chain level reports are still in the planning stages within the AICPA.)
The following information pertains only to the Entity level report.
The Entity level of the SOC for Cybersecurity Report will comprise the following components:
- Management’s Description: Similar to a SOC 2 examination, management’s description is a management-prepared narrative description of the entity’s cybersecurity risk management program. The description is designed to provide information about how the entity identifies its sensitive information and systems, the ways in which the entity manages the cybersecurity risks that threaten it and a summary of controls implemented to protect the information and systems against those risks.
- Management’s Assertion: Management provides an assertion that the description was presented in accordance with the description criteria and that the controls implemented as part of the program were effective to achieve the entity’s cybersecurity objectives.
- The Practitioner’s Opinion: A CPA’s opinion on the description of the entity’s cybersecurity risk management program and the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
The AICPA has determined that a SOC for Cybersecurity Report can be completed using the revised Trust Services Criteria (2017), NIST Cybersecurity Framework, ISO Framework COBIT Framework or any additional framework as the control criteria, so long at the framework is suitable and appropriate in accordance with the AICPA’s attestation standards. The AICPA is still in the process of releasing further information on the SOC for Cybersecurity Report process. Keep an eye out for Schneider Downs’ upcoming Our Thoughts On articles to discuss the acceptable testing criteria as the AICPA releases additional information.