The AICPA has issued final standards for a new type of management assertion and related auditor engagement on cybersecurity.
Launched as part of the AICPA’s System and Organizational Controls (SOC) standards, the new SOC for Cybersecurity includes guidance for management, auditors, and other interested users of such reports.
The SOC for cybersecurity is an examination-level engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program.
Akin to the process for management and auditor reporting on internal control over financial reporting as required under the Sarbanes-Oxley Act, related SEC and PCAOB rules, and detailed under the COSO framework, the AICPA’s new standards provide a framework for management to describe and make its own assertion on the effectiveness of the company’s cybersecurity risk management program in meeting its cybersecurity objectives. They also serve as guidance for the auditor’s examination of the company’s cybersecurity risk management.
Although reporting on cybersecurity risk management is not mandated by any law or by the SEC or PCAOB, the AICPA’s new standard received broad input during the proposal development stage and subsequent comment letters leading up to issuance of the final standards this week. The standard is designed to standardize and bring high quality to any voluntary management assertions and auditor engagements on cybersecurity that may be requested by boards of directors, investors, users, suppliers or others, and to serve as a potential resource should any mandatory management and auditor reporting under Sarbanes-Oxley.
Management reporting framework on cybersecurity
The standard contains two significant forms of guidance within its framework for management reporting on cybersecurity risk management:
CPA attestation on cybersecurity risk management
The third component is the standard for the CPAs examination of, and related attestation on, the client’s cybersecurity risk management.
In addition to the management reporting framework and new standard for CPA engagements on cybersecurity, the AICPA has provided resources, including an illustrative cybersecurity risk management report.
The AICPA’s cybersecurity resource center includes links to additional documents and videos, and notes additional information about the new standards will be provided on a May 22 webcast, as well as a session on cybersecurity risk management essentials slated for the upcoming AICPA ENGAGE conference, June 12-15 in Las Vegas.