As the world, organizations and individuals become increasingly more information technology and internet dependent and inter-connected with other organizations and individuals, cybersecurity poses one of the largest threats in the current operating environment. Extending beyond the information technology sphere, information security incidents and data breaches are a daily occurrence in the news and can do major damage to operations. The recent WannaCry ransomware incident hit hospitals in Great Britain, telecom providers in Spain and major companies in China, the United States and several other countries. It locked users out of critical systems, grinding business—and in the case of the hospitals, patient care—to a halt.

In this environment, organizations are required to focus more attention on evaluating their Cybersecurity protocol as part of their approach to risk management. At the same, organizations are being asked to respond to inquiries about their cybersecurity risk management from their boards and executive management, and external stakeholders, such as analysts, investors, business partners, customers and regulators. In order to address the needs for evaluation and assurance reporting on Cybersecurity Risk Management for internal and external stakeholders, the AICPA recently issued a new System and Organization Controls for Cybersecurity report. Certified public accountants (CPAs) will use the report to evaluate entities' cybersecurity risk management programs, similar to the process used to evaluate an organization's control environments in SOC 1 and SOC 2 reports.

The SOC for Cybersecurity Report

As part of the report, CPAs will look at two elements: the description of an entity's cybersecurity risk management program and the effectiveness of controls within that program to achieve cybersecurity objectives.

Management will be asked to provide a description of their cybersecurity risk management and information security programs, and control environments, including the assets or data protected by the program and the processes the organization undertakes to protect the assets from cybersecurity risks. The AICPA has provided description criteria to assist management in preparing the description and providing a common disclosure framework that is designed to meet the information needs of a board range of internal and external stakeholders.

An organization's management will also be asked to provide an assertion, either at a point in time or for a specified period of time to determine whether the description meets the AICPA's criteria. Management will also include an assertion on the suitability of design and operating effectiveness of its internal controls in meeting its cybersecurity objectives. As part of the examination, the CPA will evaluate the suitability of design and operating effectiveness of the organization's controls either against the AICPA's Trust Service criteria or at the organization's request against other commonly acceptable control criteria, such as the NIST Critical Information Cybersecurity Framework and ISO 27001/27002.

An audit professional then opines on whether management's cybersecurity protocol description meets the AICPA's criteria and whether cybersecurity controls effectively achieve the AICPA's or other commonly accepted control criteria.

How Companies Can Use a Cybersecurity Report

A CPA-prepared report can be used to address concerns and inquiries from boards of directors and C-level management that your organization is taking the necessary precautions to protect sensitive data and systems.

The report can also be used to help address the concerns and inquiries from external stakeholders, such as analysts, investors, business partners, and customers. Analysts and investors will want to see protections for risks that could disrupt an organization's value and stock price. Business partners and customers may want to see insights into how your organizations' controls marry up with theirs, and whether they will need additional controls in place around interactions with you. If there is an exchange of data taking place, a business partner and customers may also want to understand what logical security access protections are in place to protect the business partner's and customer's information. Regulators will want to see that you have implement suitable and effective cybersecurity controls and risk management practices to address their regulatory requirements and oversight compliance guidance.

For More Information

To learn more about how to enhance your cybersecurity protocol and incorporate it into your internal controls, please contact us.

Published on May 23, 2017