If you will recall, the April 25, 2017 edition of deTECH discussed changes in SOC reporting in 2017. Many changes are cosmetic or address changes in accounting standards. For example, SOC no longer means Service Organization Control. Instead, the AICPA has introduced the term system and organization controls to refer to SOC engagements. In addition, SSAE 16 has been superseded by SSAE 18, which restructures the standards for attestation engagements. Therefore, a company will no longer receive an ‘SSAE 16 Audit’, but instead a ‘SOC 1 for Service Organizations: ICFR’. The changes introduced in 2017, however, aren’t just cosmetic. So what about SOC for Cybersecurity?
The AICPA recognizes that the cybersecurity threats facing organizations present a significant business risk, and has responded by introducing the Cybersecurity Risk Management Examination, or SOC for Cybersecurity. Several of us on the RAS team attended the AICPA’s ENGAGE conference earlier this summer where we heard presentations and discussion about SOC for Cybersecurity. I wanted to highlight some of the important features of this emerging examination because we expect it to become a valued and respected report as organizations learn more about it.
Description of the Examination
The SOC for Cybersecurity examination is an attestation engagement in which a CPA opines on an entity’s cybersecurity risk management program. The examination includes two distinct but complementary subject matters: (1) a description of an entity’s cybersecurity risk management program and (2) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. The entity is responsible for preparing a description of their cybersecurity risk management program based on description criteria. The AICPA provides description criteria for management of an entity to use in developing the description of the cybersecurity risk management program, but an entity may choose any suitable description criteria, provided it meets the AICPA’s standards.
In addition to the description, an entity is responsible for defining its cybersecurity objectives and defining controls based on suitable control criteria. In most circumstances, the AICPA’s Trust Services Criteria of Security, Availability and Confidentiality will be an appropriate control criterion. You can think of Cybersecurity Objectives as the cyber-cousin to the Control Objectives in a SOC 1 report (Controls provide reasonable assurance that…). They are defined by management and supported by controls intended to meet the Cybersecurity Objective.
A significant difference between the original SOC reports and SOC for Cybersecurity reports is that the SOC 1 and 2 reports include a section prepared by the service auditor that lists specific controls, and the auditor’s tests of controls, and results of tests of controls. Because the SOC for Cybersecurity is a general use report (see the next paragraph), it will not contain a section with specific controls or tests performed by the auditor.
Use of the Report
One of the most interesting things about the SOC for Cybersecurity is its use as a general purpose report, meaning its use is not, under normal circumstances, restricted to certain users. The intended users of the report include Boards of Directors or other governing bodies, organizations who want to demonstrate their cybersecurity risk management program to their users, investors, analysists, business partners or industry regulators. The full report, which includes management’s assertion, Independent Accountant’s Report, and the Description of the Cybersecurity Risk Management Program, is intended to provide adequate information about the entity’s cybersecurity risk management program, but not so much information to expose the entity to undue risk by informing the general public about specific cybersecurity defenses or tactics. With such a broad range of users, it’s easy to envision this report being made publicly available alongside a company’s financial statements or other investor information.
What SOC for Cybersecurity is Not
It is important to specify what a SOC for Cybersecurity is not trying to accomplish. The engagement does not warrant that an entity is impervious to a cyber-event. A basic tenet of cybersecurity, especially in the current paradigm, is that entities are constantly under attack. Defense-in-depth, active monitoring and timely detection and response are key components of a cybersecurity risk management program and are addressed in the examination.
The AICPA has recognized the need to elevate cybersecurity threats as legitimate business risks, the same way financial statement fraud or insider trading is a threat to the public confidence in our financial system. This was a substantial theme at the AICPA’s ENGAGE conference in June. Significant time was given to discuss cybersecurity and how technology will impact the profession. The SOC for Cybersecurity examination will give entities the ability to demonstrate their cybersecurity risk management capability to a wide range of report users in the way a CPA firm gives independent assurance to their financial statements.
If you are interested in learning more about SOC for Cybersecurity (there is a lot more to discuss), contact us and we would love to talk with you.
*Edited on 4/23/19
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.