Notes
Preface
1 All AT-C sections can be found in AICPA Professional Standards.
2 Statement on Standards for Attestation Engagements No. 18, Attestation Standards: Clarification and Recodification (AICPA, Professional Standards), is effective for practitioners reports dated on or after May 1, 2017.
3 This exception is not available in the cybersecurity risk management examination discussed in this guide. See footnote 7 in chapter 2, “Accepting and Planning a Cybersecurity Risk Management Examination,” of this guide.
Chapter 1: Introduction and Background
1 This guide uses the term board members to refer to the governing body of an entity, which may take the form of a board of directors or supervisory board for a corporation, board of trustees for a not-for-profit entity, board of governors or commissioners for government entities, general partners for a partnership, or owner for a small business.
2 Some business partners may need a detailed understanding of controls implemented by the entity and the operating effectiveness of those controls to enable them to design and operate their own control activities. For example, business partners whose IT systems are interconnected with systems at the entity may need to understand the specific logical access protection over the interconnected systems implemented by the entity.
This guide is not intended to meet the needs of business partners who need a detailed understanding of the entitys specific controls and their operating effectiveness. AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC ®) provides guidance for practitioners engaged to examine and report on system controls at a service organization.
3 In certain circumstances, the practitioner may be engaged to report on the description and on the suitability of the design of controls within the entitys cybersecurity risk management program, but not on the effectiveness of the controls. Such an examination (design-only examination) is discussed further beginning in paragraph 1.42.
4 For this reason, practitioners should not accept a cybersecurity risk management examination if management is unwilling to prepare the description of the entitys cybersecurity risk management program or to include it in the cybersecurity risk management examination report. However, the practitioner may be able to perform a different examination in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
5 Throughout this guide, the term effective (as it relates to controls) encompasses both the suitability of design of controls and the operating effectiveness of controls. This is discussed further in paragraph 1.28.
6 If management is unwilling to prepare the description of the entitys cybersecurity risk management program or to include it in the cybersecurity risk management examination report, a practitioner cannot perform the cybersecurity risk management examination. However, the practitioner may be able to perform a different examination engagement in accordance with AT-C section 105 and AT-C section 205.
7 As discussed further beginning in paragraph 1.37, management may make its assertion as of a point in time or for a specified period of time.
8 Paragraph .A42 of AT-C section 105 states that criteria are suitable if they are relevant, objective, measurable, and complete. Paragraph .25bii of AT-C section 105 indicates that criteria used in an examination engagement must be available to intended users of the practitioners report.
9 Appendix D of this guide includes TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria). TSP section 100 provides criteria for evaluating controls related to security, availability, processing integrity, confidentiality, and privacy (trust services criteria). In TSP section 100, these five attributes are known as categories.
10 Center for Audit Quality (CAQ) Alert #2014-3, “Cybersecurity and the External Audit,” discusses the differences between the scope of IT controls considered in a financial statement audit and a cybersecurity engagement. http://thecaq.org/sites/default/files/caqalert_2014_03.pdf
Chapter 2: Accepting and Planning a Cybersecurity Risk Management Examination
1 Paragraph 2.17 discusses situations in which management may engage the practitioner to examine and report on only a portion of the entitys cybersecurity risk management program.
2 As discussed in chapter 1, “Introduction and Background,” management is responsible for selecting the specified period of time or point of time to be covered by the cybersecurity risk management examination report.
3 Paragraph 2.24 discusses situations in which management may engage a practitioner to examine and report on only the suitability of the design of controls the entity has implemented within its cybersecurity risk management program.
4 Determining whether management is likely to have a reasonable basis for its assertion is discussed beginning in paragraph 2.28 of this guide.
5 As defined in paragraph .10 of AT-C section 205, Examination Engagements (AICPA, Professional Standards), fraud is an intentional act involving the use of deception that results in a misstatement in the subject matter or the assertion.
6 As used in this guide, the term information assets refers to data and associated software and infrastructure used to process, transmit, and store information. Examples of information assets include employees personally identifiable information, protected health information, customers credit card information, and the systems that process, transmit, and store such information.
7 If management is not the engaging party, paragraph .10 of AT-C section 205 provides an exception to the requirement that the practitioner withdraw from the engagement when management refuses to provide a written assertion. Because a written assertion is one of three key elements of the cybersecurity risk management examination report, that exception does not apply in the examination described in this guide. Therefore, managements failure to provide a written assertion would prevent the practitioner from performing the cybersecurity risk management examination.
8 All ET sections can be found in AICPA Professional Standards.
9 The “Independence Rule” (ET sec. 1.200.001) and its interpretations apply to all attest engagements. However, when performing engagements in which independence is required in accordance with the attestation standards, the covered member needs to be independent with respect to the responsible party(ies), as defined in those standards. If the individual or entity that engages the covered member is not the responsible party, the covered member need not be independent of that individual or entity. However, the covered member should consider the “Conflicts of Interest” interpretation (ET sec. 1.110.010) of the “Integrity and Objectivity Rule” with regard to any relationships that may exist with the individual or entity that engages the covered member to perform these services. When providing nonattest services that would otherwise impair independence under the interpretations of the “Nonattest Services” subtopic (ET sec. 1.295) of the “Independence Rule,” threats would be at an acceptable level and independence would not be impaired if the following safeguards are met:
• Nonattest services do not relate to the specific subject matter of the attestation engagement.
• The “General Requirements for Performing Nonattest Services” interpretation (ET sec.1.295.040) of the “Independence Rule” are met when providing the nonattest service.
10 These references are to the trust services criteria for security, availability, and confidentiality (control criteria) presented in appendix D, “Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination."
11 Regardless of whether the practitioner plans to use the internal audits work or to use the internal audit function in a direct assistance capacity, the term engagement team, as used throughout this guide, does not include individuals within the entitys internal audit function.
Chapter 3: Performing the Cybersecurity Risk Management Examination
1 Subsequent events are discussed beginning in paragraph 3.139 of this guide.
2 The quoted description criterion is presented in appendix C, “Description Criteria for Use in the Cybersecurity Risk Management Examination” of this guide. Other description criteria cited in this guide (indicated with the naming convention “DC") are also drawn from appendix C.
3 If the cybersecurity risk management examination is as of a point in time, the practitioners responsibility is the same. However, the practitioners considerations related to the nature, timing, and extent of procedures to perform to obtain sufficient appropriate evidence will differ from those performed when the examination is for a specified period of time.
4 As discussed in paragraph 3.03, the term deviation is used throughout this guide when discussing a misstatement, identified by the practitioner, in which the operation of a control was not effective in a specific instance. To distinguish deviations identified by the practitioner from those identified by the internal audit function, the term exception is used when referring to misstatements identified by the internal audit function.
5 The evaluation of test results may differ when the cybersecurity risk management examination is as of a point in time rather than a period of time. For example, assume the practitioner was engaged to conduct the examination as of December 31, 20X2. While performing the procedures, the practitioner identified, in June 20X1, a deficiency in a control; the deficiency was remediated in November 20X1. In this example, because the practitioner was engaged to conduct the examination as of December 31, 20X2, the deficiency would not cause the practitioner to modify the report because it had already been remediated by December 31, 20X2.
6 Within this section of the guide, the term subject matters refers to the two subject matters in the cybersecurity risk management examination: (1) the description of the entitys cybersecurity risk management program and (2) the effectiveness of controls within that program to achieve the entitys cybersecurity objectives based on the control criteria.
7 Within this section of the guide, the term criteria refers to both the description criteria and the control criteria.
Chapter 4: Forming the Opinion and Preparing the Practitioner’s Report
1 As used here, the concept of the suitability of design relates to controls that have been designed and implemented within the entitys cybersecurity risk management program.
2 If the subject matter of the engagement is less than entity-wide, the practitioner should modify the language used to identify the subject matter of the engagement.
3 As discussed in chapter 1, “Introduction and Background,” management is responsible for determining whether the engagement will be performed for a specified period of time or as of a point in time to be used in the cybersecurity risk management examination report. However, because most users are likely to find a conclusion about control effectiveness more valuable if it is over a period of time, this guide uses a period of time. If management elects to report as of a point in time, the practitioner would modify the language in the report to refer to the point in time.
Appendix A: Information for Entity Management
1 In certain circumstances, the practitioner may be engaged to report on the description and on the suitability of the design of the controls within the entitys cybersecurity risk management program. Such an examination, which is referred to as a design-only examination, is discussed further in the section titled “Cybersecurity Risk Management Examination Addresses Only the Suitability of the Design of Controls Within the Entitys Cybersecurity Risk Management Program (Design-Only Examination)."
2 The term information assets refers to data and associated software and infrastructure used to process, transmit, and store information. Examples of information assets include employees personally identifiable information, protected health information, customers credit card information, and the systems that process, transmit, and store such information.
3 ©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used by permission. See www.coso.org.
Appendix B: Illustrative Comparison of the Cybersecurity Risk Management Examination with a SOC 2 Examination and Related Reports
1 In a SOC 2 engagement, when the entity uses the services of a subservice organization, management may elect to use the inclusive method or the carve-out method to address those services in its description of its system. Those concepts are defined and discussed in the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy (SOC 2®) (the SOC 2 guide).
In the cybersecurity risk management examination, however, management is responsible for all of the controls within the entitys cybersecurity risk management program, regardless of whether those controls are performed by the entity or by a service organization. Therefore, the description criteria in appendix C, “Description Criteria for Use in the Cybersecurity Risk Management Examination,” require the description to address all of the controls within the entitys cybersecurity risk management program.
2 Some of an entitys business partners may need a detailed understanding of controls implemented by the entity and the operating effectiveness of those controls to enable them to design and operate their own control activities. For example, business partners whose IT systems are interconnected with systems at the entity may need to understand the specific logical access protection over the interconnected systems implemented by the entity.
This guide is not intended to meet the needs of business partners who need a detailed understanding of the entitys specific controls and their operating effectiveness. The SOC 2 guide provides guidance for practitioners engaged to examine and report on system controls at a service organization. In addition, the AICPA intends to develop a vendor supply chain guide to provide guidance for practitioners engaged to examine and report on system controls at a manufacturer or distributer. The vendor supply chain guide is expected to be issued in 2018.
3 For illustrative purposes, this table focuses specifically on a type 2 SOC 2 report, which includes both an opinion on suitability of design and operating effectiveness of controls.
4 As discussed in the preface to this guide, the clarified attestation standards are effective for practitioner's reports dated on or after May 1, 2017. Prior to that, SOC 2 engagements were performed in accordance with AT section 101, Attest Engagements (AICPA, Professional Standards).
5 The AICPA is in the process of updating the SOC 2 guide to incorporate revisions needed to make the guide more responsive to users' cybersecurity concerns. The revised guide is expected to be issued in 2017.
6 The term general use refers to reports whose use is not restricted to specified parties. Nevertheless, as discussed in chapter 4, “Forming the Opinion and Preparing the Practitioner's Report,” practitioners may decide to restrict the use of their report to specified parties.
7 Because the report is only appropriate for users that possess such knowledge and understanding, the SOC 2 report is restricted to the use of such specified users.
8 For both the description criteria and control criteria in a cybersecurity risk management examination, suitable criteria other than those outlined in this guide may also be used.
9 Concurrent with the issuance of this guide, the AICPA issued revisions to the extant trust services criteria. The 2017 trust services criteria presented in this document will be codified as TSP section 100. The extant trust services criteria issued in 2016 will be available in TSP section 100A through December 15, 2018. After that date, the 2016 criteria will be considered superseded. During the transition period (April 15, 2017, through December 15, 2018), practitioners should distinguish in their reports whether the 2016 or the 2017 trust services criteria have been used.
In addition, the AICPA will continue to make available the 2014 trust services criteria in TSP section 100A-1 until March 31, 2018, to ensure they remain available to report users. Those criteria were considered superseded for practitioner reports for periods ended on or after December 15, 2016.
Because cybersecurity risk management examination engagements are new service offerings, entities that elect to use the trust services criteria as the control criteria in such engagements should use the revised trust services criteria for security, availability, and confidentiality presented in appendix D.
10 The practitioner in a SOC 2 examination is referred to as a service auditor.
Appendix C: Description Criteria for Use in the Cybersecurity Risk Management Examination
1 The term board of directors is used throughout this document to refer to those individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held instead by a supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.
Appendix D: Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination
1 ©2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used by permission. See www.coso.org.
Appendix I: Overview of Statements on Quality Control Standards
1 The term reasonable assurance, which is defined as a high, but not absolute, level of assurance, is used because absolute assurance cannot be attained. Paragraph .53 of QC section 10, A Firms System of Quality Control (AICPA, Professional Standards), states, “Any system of quality control has inherent limitations that can reduce its effectiveness."
2 A foreign-associated firm is a firm domiciled outside of the United States and its territories that is a member of, correspondent with, or similarly associated with an international firm or international association of firms.
3 Such considerations would include the risk of providing professional services to significant clients or to other clients for which the practitioners objectivity or the appearance of independence may be impaired. In broad terms, the significance of a client to a member or a firm refers to relationships that could diminish a practitioners objectivity and independence in performing attest services. Examples of factors to consider in determining the significance of a client to an engagement partner, office, or practice unit include (a) the amount of time the partner, office, or practice unit devotes to the engagement, (b) the effect on the partners stature within the firm as a result of his or her service to the client, (c) the manner in which the partner, office, or practice unit is compensated, or (d) the effect that losing the client would have on the partner, office, or practice unit.
4 Inspection is a retrospective evaluation of the adequacy of the firms quality control policies and procedures, its personnels understanding of those policies and procedures, and the extent of the firms compliance with them. Although monitoring procedures are meant to be ongoing, they may include inspection procedures performed at a fixed point in time. Monitoring is a broad concept; inspection is one specific type of monitoring procedure.