SOC for Cybersecurity 

Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.

To address this market need, the AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations' enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations' efforts.


CPAs Users Organizations

Provides information to CPAs on understanding and performing engagements on an organization’s cybersecurity risk management program.

Provides users (senior management, boards of directors, analysts, investors & business partners) with useful information for decision-making about an organization’s cybersecurity risk management program.

Provides organizations with a framework for communicating about the effectiveness of their cybersecurity risk management program to build trust and confidence.

Introduction to the AICPA's Cybersecurity Risk Management Framework [Video]

The AICPA’s new cybersecurity risk management reporting framework helps organizations communicate about and CPAs report on cybersecurity risk management programs. Learn more about the framework in this video featuring Sue Coffey, CPA, CGMA, AICPA executive vice president for public practice.
SOC for Cybersecurity Resources

For additional resources visit the AICPA's Cybersecurity Resource Center

    News & Comment Letters

    Guides and Professional Standards for Cybersecurity Risk Management Reporting Framework

    Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are intended for use by CPAs to  provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or for SOC 2® and SOC 3® engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

    Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (description criteria), which are intended for use by management in designing and describing their cybersecurity risk management program, and by CPAs to report on management’s description.

    Preorder Now!

    AICPA Guide: Reporting on an Entity’s Cybersecurity Risk Management Program and Controls

    Attestation Standards

      This 2017 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.

      Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
      • Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
      • Required representation letters
      • More robust risk assessment for examination engagements SSAE
      No. 18 supersedes all of the extant attestation standards with the following exceptions:
      • AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
      • AT 701, Management’s Discussion and Analysis
        SOC for Cybersecurity Continuing Professional Education

        May 22, 2017 Webcast - AICPA’s New Examination Engagement: SOC for Cybersecurity

        Copyright © 2006-2017 American Institute of CPAs.