SOC for Cybersecurity 


Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.

To address this market need, the AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations' efforts.

Please scroll down for resources including background materials, guidance and criteria, news and comment letters, and related CPE and tools.

 







CPAs Users Organizations

Provides information to CPAs on understanding and performing engagements on an organization’s cybersecurity risk management program.

Provides users (senior management, boards of directors, analysts, investors & business partners) with useful information for decision-making about an organization’s cybersecurity risk management program.

Provides organizations with a framework for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.


Introduction to the AICPA's Cybersecurity Risk Management Framework [Video]

The AICPA’s new cybersecurity risk management reporting framework helps organizations communicate about and CPAs report on cybersecurity risk management programs. Learn more about the framework in this video featuring Sue Coffey, CPA, CGMA, AICPA executive vice president for public practice.
   
  Q&A: Cybersecurity and the Accounting Profession [Video]

Learn about the profession’s efforts to support CPAs providing cybersecurity risk management assurance and advisory services in these video Q&As featuring Sue Coffey, CPA, CGMA, AICPA executive vice president for public practice.
Guides and Professional Standards for Cybersecurity Risk Management Reporting Framework

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria)

These criteria are intended for use by CPAs to  provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (description criteria)

These criteria are intended for use by management in designing and describing their cybersecurity risk management program, and by CPAs to report on management’s description.



AICPA Guide: Reporting on an Entity’s Cybersecurity Risk Management Program and Controls

This guide delivers information on how to implement the AICPA's cybersecurity risk management reporting framework and provides CPAs with guidance on how to perform and report on an examination of an organization's enterprise-wide cybersecurity risk management program for organizations seeking a CPA's opinion.

Attestation Standards

    This 2017 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.

    Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
    • Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
    • Required representation letters
    • More robust risk assessment for examination engagements SSAE
    No. 18 supersedes all of the extant attestation standards with the following exceptions:
    • AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
    • AT 701, Management’s Discussion and Analysis
      SOC for Cybersecurity Continuing Professional Education

      July 17, 2017 Webcast Rebroadcast - AICPA’s New Examination Engagement: SOC for Cybersecurity
      SOC for Cybersecurity Resources

      For additional resources visit the AICPA's Cybersecurity Resource Center

        News & Comment Letters





        © 2017 Association of International Certified Professional Accountants. All rights reserved.