This June, the AICPA has released a new examination engagement (SOC for cybersecurity) performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, provides guidance for practitioners engaged to examine and report on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users.
Cybersecurity Risk Management
The cybersecurity risk management examination report includes the following three key components:
- Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.
- Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
- Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
