In 2017 AICPA has developed a cybersecurity reporting framework that organizations can use to demonstrate to key stakeholders the extent and effectiveness of an entity’s cybersecurity risk management program. A critical element of any cybersecurity risk management program is the formulation of objectives by management. Management establishes cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They may vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite and other factors.
Need (Demand) Cyber risk has become a front-and-center issue in today’s global economy. The media is rife with reports of cyberattacks ranging from major customer records thefts and health care records breaches, to political incidents. Unfortunately, we are living in a world where the risk of a cyber intrusion is no longer a question of if, but a question of when. In fact, according to the World Economic Forum 2017 Global Risk Report, data fraud or theft, and cyberattacks rank fifth and sixth, respectively, on their list of Top Ten Risks in Terms of Likelihood. .
Bottom line: Cybersecurity brings extraordinary challenges. Organizations face varying threats with varying impacts—all in an environment marked by rapid technological change. What’s more, various stakeholders must gather information and converse about cybersecurity between and among each other. The nature of cybersecurity challenges requires that every sector of the economy play a role. While government policy and activity will be important in promoting cybersecurity resilience, the energy, agility, and innovation of the private sector must be harnessed as well. The auditing profession will do its part by playing a key role in helping organizations—public and private—adapt to this challenging landscape.
Given the high-profile nature of cyber-attacks on corporations, both the demand for information related to cybersecurity—and the need to facilitate robust conversations on these topics—have grown exponentially across major stakeholder groups. Board members: Boards of directors need information about the entity’s cybersecurity program and the cyber threats facing the entity to help the boards fulfill their oversight responsibilities. They also want information that will help them evaluate the entity’s effectiveness in managing cybersecurity risks.
Why CPA for Cyber Risks
Today’s public accounting firms employ individuals with CPAs as well as other credentials specifically related to information technology and security. These include Certified Information Systems Security Professionals (CISSP), Certified Information Systems Auditors (CISA) etc.
The AICPA’s cybersecurity reporting framework has been developed to provide the market with a common approach to reporting on and evaluating a company’s cybersecurity risk management program. A common and consistent approach for companies to report information about their cybersecurity risk management program, once established and accepted in the market, could potentially reduce industry and other regulatory compliance requirements that can
• distract company resources away from cybersecurity risk management and
• burden companies with checklist compliance exercises that are typically ineffective responses to advancing data security threats. Widespread market consensus around a given approach can aid in establishing a uniform, cross-industry methodology to evaluating a company’s cybersecurity risk management program.
Management’s Description of the Entity’s Cybersecurity Risk Management Program. Management will provide potential users with a description of an entity’s cybersecurity risk management program. Management will utilize suitable description criteria in developing Management’s Description of the subject matter, and for CPAs in evaluating the description. The AICPA’s Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (Description Criteria) has been designed to be suitable criteria.
The SOC report defines the standards used by a service auditor to assess the internal controls of a service organization. The control objectives and activities vary based on the scope of the SOC engagement and client operations. The relationship between the service organization and the user organizations must be viewed to help determine the controls that should be included in the engagement. In addition, the impact on the user organizations financial statements will also be the determining factor as to whether controls at the service organizations are in the scope of the project. The following outlines some categories for control activities that are included in the description of controls for many SOC reviews:
General Computer Controls
• Logical security ( passwords, 2 Factor etc)
• Physical and environmental security
• Network security (firewalls, intrusion prevention)
• Change management
• Data retention and storage
• Disaster recovery / business continuity
• System documentation
There are also application-specific control activities that will vary based on the client systems that have been implemented. For example, the system application(s) of a thirdparty payroll provider would normally be reviewed to understand the automated controls around transaction processing..
Why Us ?
We provide end to end process for SOC reporting engagements. With data moving into the Cloud and increased use of BIG DATA, Cloud Security and Privacy concerns are on the rise. We conduct integrated Cyber security engagements with privacy engagements. AICPA has also developed the SOC reporting framework for privacy, which can help organizations to ascertain their level of maturity for privacy. With more stringent regulations like HIPAA, EU-GDPR and enforcement of these privacy issues are causing nightmares to organizations.
Some of the advantages of working with Us are:
Download our SOC for Cyber Risk Services
Download our SOC Reporting Services
Download our SOC 2 for Cloud Services
Download our SOC 2 for HITRUST/HIPAA Services
Download our GDPR Readiness Services