What is the purpose of the report?

To provide intended users with useful information about an entity’s cybersecurity risk management program for making informed decisions

To provide a broad range of system users with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support users’ evaluations of their own systems of internal control

Who are the intended users?

Management, directors, analysts, investors, and others whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program

Management of the service organization and other specified parties with sufficient knowledge and understanding of the service organization and its system

Under what professional standards and implementation guidance is the engagement performed?

AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements, in AICPA Professional Standards

AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements,⁴ in AICPA Professional Standards

The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls

The AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®)⁵

Who is the responsible party?

Management of an entity

Management of a service organization

Is the report appropriate for general use or restricted to specified parties?

Appropriate for general use⁶

Restricted to user entity personnel and specified parties, such as independent auditors and practitioners of user entities, prospective user entities, and regulators, who have sufficient knowledge and understanding of the following matters:⁷

• The nature of the service provided by the service organization

• How the service organization’s system interacts with user entities and other parties

• Internal control and its limitations

• The nature of user entity responsibilities and their role in the user entities’ internal control as it relates to service organizations

• The nature of subservice organizations and how their services to a service organization may affect user entities

• The applicable trust services criteria

• The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks

What is the subject matter of management’s assertion and the engagement?

The description of the entity’s cybersecurity risk management program based on the description criteria

The description of the service organization’s system as it relates to one or more of the categories in the trust services criteria

The effectiveness of controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria

Suitability of design and operating effectiveness of controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy based on the criteria

What are the criteria for the engagement?

The description criteria included in appendix C, “Description Criteria for Use in the Cybersecurity Risk Management Examination,” of this guide

Paragraphs 1.26–1.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) contain the criteria for the description of the service organization’s system.

The trust services criteria for security, availability, and confidentiality included in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria), and presented in appendix D, “Trust Services Criteria for Security, Availability, and Confidentiality for Use as Control Criteria in the Cybersecurity Risk Management Examination,” of this guide. Such criteria are suitable for use as control criteria.^8,9

TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria), contains the criteria for evaluating the design and operating effectiveness of controls.

What are the contents of the report?

A description of the entity’s cybersecurity risk management program

A written assertion by management about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria

A practitioner’s report that contains an opinion about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) the controls within that program were effective in achieving the entity’s cybersecurity objectives based on the control criteria