The AICPA has issued final standards for a new type of management assertion and related auditor engagement on cybersecurity.
Launched as part of the AICPA’s System and Organizational Controls (SOC) standards, the new SOC for Cybersecurity includes guidance for management, auditors, and other interested users of such reports.
The SOC for cybersecurity is an examination-level engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program.
Akin to the process for management and auditor reporting on internal control over financial reporting as required under the Sarbanes-Oxley Act, related SEC and PCAOB rules, and detailed under the COSO framework, the AICPA’s new standards provide a framework for management to describe and make its own assertion on the effectiveness of the company’s cybersecurity risk management program in meeting its cybersecurity objectives. They also serve as guidance for the auditor’s examination of the company’s cybersecurity risk management.
Although reporting on cybersecurity risk management is not mandated by any law or by the SEC or PCAOB, the AICPA’s new standard received broad input during the proposal development stage and subsequent comment letters leading up to issuance of the final standards this week. The standard is designed to standardize and bring high quality to any voluntary management assertions and auditor engagements on cybersecurity that may be requested by boards of directors, investors, users, suppliers or others, and to serve as a potential resource should any mandatory management and auditor reporting under Sarbanes-Oxley.
Management reporting framework on cybersecurity
The standard contains two significant forms of guidance within its framework for management reporting on cybersecurity risk management:
- Management’s description of the entity’s cybersecurity risk management program. This is a management-prepared narrative description of the entity’s cybersecurity risk management program. This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.
- Management’s assertion on the effectiveness of cybersecurity risk management. This is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria, and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
CPA attestation on cybersecurity risk management
The third component is the standard for the CPAs examination of, and related attestation on, the client’s cybersecurity risk management.
- The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
In addition to the management reporting framework and new standard for CPA engagements on cybersecurity, the AICPA has provided resources, including an illustrative cybersecurity risk management report.
The AICPA’s cybersecurity resource center includes links to additional documents and videos, and notes additional information about the new standards will be provided on a May 22 webcast, as well as a session on cybersecurity risk management essentials slated for the upcoming AICPA ENGAGE conference, June 12-15 in Las Vegas.