Preface

(Updated as of May 1, 2017)

About AICPA Guides

This AICPA Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, has been developed by the AICPA’s Assurance Services Executive Committee (ASEC) Cybersecurity Working Group, in conjunction with the Auditing Standards Board (ASB), to assist practitioners engaged to examine and report on an entity’s cybersecurity risk management program.

This guide is recognized as an interpretive publication as described in AT-C section 105, Concepts Common to All Attestation Engagements.¹ Interpretative publications are recommendations on the application of Statements on Standards for Attestation Engagements (SSAEs) in specific circumstances, including engagements for entities in specialized industries. The SSAEs are also known as the attestation standards.

Interpretive publications are issued under the authority of the ASB after all ASB members have been provided an opportunity to consider and comment on whether the proposed interpretive publication is consistent with the SSAEs. The members of the ASB have found the attestation guidance in this guide to be consistent with the SSAEs.

Although interpretive publications are not attestation standards, AT-C section 105 requires the practitioner to consider applicable interpretive publications in planning and performing an attestation engagement because interpretive publications are relevant to the proper application of the SSAEs in specific circumstances. If the practitioner does not apply the attestation guidance included in an applicable AICPA Guide, the practitioner should be prepared to explain how he or she complied with the SSAE provisions addressed by such attestation guidance.

AICPA Guides may include certain content presented as “Supplement,” “Appendix,” or “Exhibit.” A supplement is a reproduction, in whole or in part, of authoritative guidance originally issued by a standard-setting body (including regulatory bodies) and is applicable to entities or engagements within the purview of that standard setter, independent of the authoritative status of the applicable AICPA Guide. Both appendixes and exhibits are included for informational purposes and have no authoritative status.

Purpose and Applicability

This guide provides guidance to practitioners engaged to examine and report on an entity’s cybersecurity risk management program. In April 2016, the ASB issued SSAE No. 18, Attestation Standards: Clarification and Recodification, (AICPA, Professional Standards),² which includes AT-C section 105 and AT-C section 205, Examination Engagements. Those sections establish the requirements and application guidance for performing and reporting on an entity’s cybersecurity risk management program in the cybersecurity attestation examination described in this guide. In the attestation standards, a CPA performing an attestation engagement is ordinarily referred to as a practitioner.

The attestation standards enable a practitioner to report on subject matter other than historical financial statements. In the case of the cybersecurity risk management examination described in this guide, the subject matter is (a) the description of the entity’s cybersecurity risk management program in accordance with the description criteria and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria.

This guide also presents description criteria that may be used when preparing and evaluating the description of the entity’s cybersecurity risk management program and applicable trust services criteria (which can be used as control criteria). Such criteria were promulgated by the ASEC, which is designated by the Council of the AICPA under the AICPA Code of Professional Conduct to issue criteria. Therefore, such criteria are considered suitable criteria for use in the cybersecurity examination engagement described in this guide.

Nothing in this guide is intended to prohibit a practitioner from performing a different examination engagement related to an entity’s cybersecurity efforts in accordance with the attestation standards. In that case, the practitioner may find much of the guidance in this guide helpful.

Recognition

Auditing Standards Board

(2016–2017)

Michael J. Santay, Chair

Gerry Boaz

Dora Burzenski

Joseph Cascio

Lawrence Gill

Steven M. Glover

Gaylen Hansen

Tracey Harding

Ilene Kassman

Alan Long

Richard Miller

Daniel D. Montgomery

Steven Morrison

Richard N. Reisig

Catherine M. Schweigel

Daniel J. Hevia

Jere G. Shawver

Chad Singletary

Assurance Services Executive Committee

(2016–2017)

Robert Dohrer, Chair

Bradley Ames

Christine M. Anderson

Brad Beasley

Nancy Bumgarner

Jim Burton

Mary Grace Davenport

Chris Halterman

Jennifer Haskell

Brad Muniz

Michael Ptasienski

Joanna Purtell

Miklos Vasarhelyi

ASEC Cybersecurity Working Group

Chris Halterman, Chair

Efrim Boritz

Mark Burnette

Andrés Castañeda

Brian DePersiis

Sandy Herrygers

Eddie Holt

Kevin Knight

Gaurav Kumar

Dave Palmer

Paul Pendler

Adam Ross

Rod Smith

Shahryar Shaghaghi

Jeff Trent

Jeff Ward

David Wood

AICPA Staff

Charles E. Landes

Vice President

Professional Standards and Services

Amy Pawlicki
Director
Business Reporting, Assurance and Advisory Services and XBRL

Erin Mackler
Assistant Director Business Reporting, Assurance and Advisory Services

Mimi Blanco-Best
Senior Technical Manager
Business Reporting, Assurance and Advisory Services

Tanya Hale
Technical Manager
Business Reporting, Assurance and Advisory Services

Defining Professional Responsibilities in AICPA Professional Standards

AICPA professional standards applicable to attestation engagements use the following two categories of professional requirements, identified by specific terms, to describe the degree of responsibility they impose on a practitioner:

• Unconditional requirements. The practitioner must comply with an unconditional requirement in all cases in which such requirement is relevant. The attestation standards use the word must to indicate an unconditional requirement.

• Presumptively mandatory requirements. The practitioner must comply with a presumptively mandatory requirement in all cases in which such requirement is relevant; however, in rare circumstances, the practitioner may judge it necessary to depart from the requirement. The need for the practitioner to depart from a relevant presumptively mandatory requirement is expected to arise only when the requirement is for a specific procedure to be performed and, in the specific circumstances of the engagement, that procedure would be ineffective in achieving the intent of the requirement. In such circumstances, the practitioner should perform alternative procedures to achieve the intent of that requirement and should document the justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of the requirement. The attestation standards use the word should to indicate a presumptively mandatory requirement.

References to Professional Standards

In citing attestation standards and their related interpretations, references to standards that have been codified use section numbers within the codification of currently effective SSAEs rather than the original statement number.

Attestation Clarity Project

In April 2016, the ASB issued SSAE No. 18 to address concerns about the clarity, length, and complexity of the attestation standards. To make the standards easier to read, understand, and apply, the ASB adopted the following clarity drafting conventions in redrafting the attestation standards:

• Establishing objectives for each clarified section

• Including a definitions section, when relevant, in each clarified section

• Separating requirements from application and other explanatory material

• Numbering application and other explanatory material paragraphs using an A- prefix and presenting them in a separate section that follows the requirements section

• Using formatting techniques, such as bulleted lists, to enhance readability

Changes to the Attestation Standards Introduced by SSAE No. 18

Restructuring of the Attestation Standards

The attestation standards provide for three types of services—examination, review, and agreed-upon procedures engagements. SSAE No. 18 restructures the attestation standards so that the applicability of any AT-C section to a particular engagement depends on the type of service provided and the subject matter of the engagement.

AT-C section 105 contains requirements and application guidance applicable to any attestation engagement. AT-C section 205, AT-C section 210, Review Engagements, and AT-C section 215, Agreed-Upon Procedures Engagements, each contain incremental requirements and application guidance specific to the level of service performed. The applicable requirements and application guidance for an engagement to report on any of these subject matters are contained in three AT-C sections: AT-C section 105; AT-C section 205, 210, or 215, depending on the level of service provided; and the applicable subject matter section.

To avoid repetition, the requirements and application guidance in AT-C section 105 are not repeated in the level of service sections or in the subject matter sections, and the requirements and application guidance in the level of service sections are not repeated in the subject matter sections, with the exception of a repetition of the basic report elements for the particular subject matter.

Practitioner Is Required to Request a Written Assertion

In all attestation engagements, the practitioner is required to request from the responsible party a written assertion about the measurement or evaluation of the subject matter against the criteria. In examination and review engagements when the engaging party is also the responsible party, the responsible party’s refusal to provide a written assertion requires the practitioner to withdraw from the engagement when withdrawal is possible under applicable laws and regulations. In examination and review engagements when the engaging party is not the responsible party, the responsible party’s refusal to provide a written assertion requires the practitioner to disclose that refusal in the practitioner’s report and restrict the use of the report to the engaging party.³ In an agreed-upon procedures engagement, the responsible party’s refusal to provide a written assertion requires the practitioner to disclose that refusal in the practitioner’s report.

Risk Assessment in Examination Engagements

SSAE No. 18 incorporates a risk assessment model in examination engagements. In examination engagements, the practitioner is required to obtain an understanding of the subject matter that is sufficient to enable the practitioner to identify and assess the risks of material misstatement in the subject matter and provide a basis for designing and performing procedures to respond to the assessed risks.

Incorporates Certain Requirements Contained in the Auditing Standards

SSAE No. 18 incorporates a number of detailed requirements that are similar to those contained in the Statements on Auditing Standards (SASs), such as the requirement to obtain a written engagement letter and to request written representations. SSAE No. 18 includes these requirements based on the ASB’s belief that a service that results in a level of assurance similar to that obtained in an audit or review of historical financial statements should generally consist of similar requirements.

Separate Discussion of Review Engagements

SSAE No. 18 separates the detailed procedural and reporting requirements for review engagements from their counterparts for examination engagements. The resulting guidance more clearly differentiates the two services.

Convergence

It is the ASB’s general strategy to converge its standards with those of the International Auditing and Assurance Standards Board. Accordingly, the foundation for AT-C sections 105, 205, and 210 is International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. Many of the paragraphs in SSAE No. 18 have been converged with the related paragraphs in ISAE 3000 (Revised), with certain changes made to reflect U.S. professional standards. Other content included in this statement is derived from the extant SSAEs. The ASB decided not to adopt certain provisions of ISAE 3000 (Revised); for example, a practitioner is not permitted to issue an examination or review report if the practitioner has not obtained a written assertion from the responsible party, except when the engaging party is not the responsible party. In the ISAE, an assertion (or representation about the subject matter against the criteria) is not required in order for the practitioner to report.

Examinations of System and Organization Controls: SOC Suite of Services

In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide in connection with system-level controls of a service organization and system or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations. The following are designations for four such examinations in the SOC suite of services and the source of the guidance for performing and reporting on each:

• SOC 1®—SOC for Service Organizations: ICFR. The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting are found in AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. AICPA Guide Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®) contains application guidance for practitioners.

• SOC 2_®—SOC for Service Organizations: Trust Services Criteria. The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy are found in AT-C section 205. AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) contains application guidance for practitioners.

• SOC 3®—SOC for Service Organizations: Trust Services Criteria for General Use Report. The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy resulting in a general use report are found in AT-C section 205. AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) discusses reporting on such examinations.

• SOC for Cybersecurity. The performance and reporting requirements for an examination of an entity’s cybersecurity risk management program and related controls are found in AT-C section 205. This guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, contains application guidance for practitioners.

In 2018, the AICPA plans to introduce a new examination service, SOC for vendor supply chains, and a related attestation guide to provide application guidance to practitioners engaged to examine and report on system-level controls in the supply chain. The purpose of such an examination is to enable entities to better understand and manage external risks, including cybersecurity risk, related to their vendors and distribution networks.

Guidance Considered in This Publication

This guide considers relevant guidance issued through May 1, 2017. In particular, this guide reflects SSAE No. 18.

This guide does not include all attestation requirements that may be applicable to the types of engagements covered by this guide. This guide is intended to be used in conjunction with all applicable sources of relevant guidance. In determining the applicability of recently issued guidance, the effective date of the guidance should also be considered.

Applicability of Quality Control Standards

QC section 10, A Firm’s System of Quality Control (AICPA, Professional Standards), addresses a CPA firm’s responsibilities for its system of quality control for its accounting and auditing practice. A system of quality control consists of policies that a firm establishes and maintains to provide it with reasonable assurance that the firm and its personnel comply with professional standards, as well as applicable legal and regulatory requirements. The policies also provide the firm with reasonable assurance that reports issued by the firm are appropriate in the circumstances.

QC section 10 applies to all CPA firms with respect to engagements in their accounting and auditing practice. In paragraph .13 of QC section 10, an accounting and auditing practice is defined as “a practice that performs engagements covered by this section, which are audit, attestation, compilation, review, and any other services for which standards have been promulgated by the ASB or the AICPA Accounting and Review Services Committee under the “General Standards Rule” (AICPA, Professional Standards, ET sec. 1.300.001) or the “Compliance With Standards Rule” (AICPA, Professional Standards, ET sec. 1.310.001) of the AICPA Code of Professional Conduct. Although standards for other engagements may be promulgated by other AICPA technical committees, engagements performed in accordance with those standards are not encompassed in the definition of an accounting and auditing practice.”

In addition to the provisions of QC section 10, readers should be aware of other sections within AICPA Professional Standards that address quality control considerations, including the following provisions that address engagement-level quality control matters for various types of engagements that an accounting and auditing practice might perform:

• AT-C section 105

• AU-C section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards)

• AR-C section 60, General Principles for Engagements Performed in Accordance With Statements on Standards for Accounting and Review Services (AICPA, Professional Standards)

Paragraphs .32–.33 of AT-C section 105 address the practitioner’s specific responsibilities regarding quality control procedures for an attestation engagement. When applicable, paragraph .42 of AT-C section 105 addresses the responsibilities of the engagement quality control reviewer.

AU-C section 220 addresses the auditor’s specific responsibilities regarding quality control procedures for an audit of financial statements. When applicable, it also addresses the responsibilities of the engagement quality control reviewer.

Paragraphs .19–.23 of AR-C section 60 address engagement-level quality control in an engagement performed in accordance with Statements on Standards for Accounting and Review Services.

Because of the importance of engagement quality, we have added appendix I, “Overview of Statements on Quality Control Standards,” to this guide. Appendix I summarizes key aspects of the quality control standards. This summarization should be read in conjunction with QC section 10, AU-C section 220, AT-C section 105, AR-C section 60, and the quality control standards issued by the PCAOB, as applicable.

AICPA.org Website

The AICPA encourages you to visit its website at www.aicpa.org and the Financial Reporting Center (FRC) at www.aicpa.org/FRC. The FRC supports members in the execution of high-quality financial reporting. Whether you are a financial statement preparer or a member in public practice, this center provides exclusive member-only resources for the entire financial reporting process and provides timely and relevant news, guidance, and examples in areas including accounting, preparing financial statements, and performing compilation, review, audit, attest, or assurance and advisory engagements. Certain content on the AICPA’s websites referenced in this guide may be restricted to AICPA members only.