SOC reports for CyberRisk
In 2017 AICPA has developed a cybersecurity reporting framework that organizations can use to demonstrate to key stakeholders the extent and effectiveness of an entity’s cybersecurity risk management program. A critical element of any cybersecurity risk management program is the formulation of objectives by management. Management establishes cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They may vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors.
Cyber risk has become a front-and-center issue in today’s global economy. The media is rife with reports of cyberattacks ranging from major customer records thefts and health care records breaches to political incidents. Unfortunately, we are living in a world where the risk of a cyber intrusion is no longer a question of if, but a question of when. In fact, according to the World Economic Forum 2017 Global Risk Report, data fraud or theft, and cyberattacks rank fifth and sixth, respectively, on their list of Top Ten Risks in Terms of Likelihood.
Cybersecurity brings extraordinary challenges. Organizations face varying threats with varying impacts—all in an environment marked by rapid technological change. What’s more, various stakeholders must gather information and converse about cybersecurity between and among each other. The nature of cybersecurity challenges requires that every sector of the economy plays a role. While government policy and activity will be important in promoting cybersecurity resilience, the energy, agility, and innovation of the private sector must be harnessed as well. The auditing profession will do its part by playing a key role in helping organizations—public and private—adapt to this challenging landscape.
Given the high-profile nature of cyber-attacks on corporations, both the demand for information related to cybersecurity—and the need to facilitate robust conversations on these topics—have grown exponentially across major stakeholder groups. Board members: Boards of directors need information about the entity’s cybersecurity program and the cyber threats facing the entity to help the boards fulfill their oversight responsibilities. They also want information that will help them evaluate the entity’s effectiveness in managing cybersecurity risks.
Management will assert to the presentation of the Management’s Description of the entity’s cybersecurity risk management program in accordance with the description criteria, and whether the controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on a suitable set of control criteria. One example of suitable control criteria is the 2017 Trust Services Criteria (criteria for security, availability, and confidentiality).
Cybersecurity Risk Management Examination •Usually addresses an entity-wide cybersecurity risk management program or •A Portion of the Entity’s Cybersecurity Risk Management Program The cybersecurity risk management examination may be limited to any of the following: One or more specific business units, segments, or functions of an entity: •when those units, segments, or functions operate under an entity-wide cybersecurity risk management program or •when those units, segments, or functions operate under an independent cybersecurity risk management program