Chapter 1: Introduction and Background

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 1 Introduction and Background

This chapter introduces cybersecurity and discusses why it has become a top concern for boards of directors, senior management, and others. This chapter also provides an overview of an examination of an entity’s cybersecurity risk management processes and controls (referred to as an entity’s cybersecurity risk management program) and related report designed by the AICPA to meet the informational needs of intended users. Finally, the chapter discusses the professional standards practitioners are required to follow when performing the examination.

Introduction

1.01 Almost every day a new cyberattack is announced in the media. Nation states, hackers, organized crime, and malicious insiders are attacking entities because of who they are, what they do, or the information they possess. Sometimes, the attacks are launched simply to cause a business disruption or broader economic interruption. Banks, big-box retailers, government agencies... it seems that none are immune from cyberattacks. Along with the increased number of reported attacks, the number of victims and the amount of information compromised by each attack is also increasing.

1.02 Cybersecurity has become a top concern for boards of directors and senior executives of many entities throughout the country, regardless of their size or the industry in which they operate. In addition, governmental officials are also concerned about cybersecurity at governmental agencies and departments. For most entities, cybersecurity is a significant business risk that needs to be identified, assessed, and managed along with other business risks the entity faces, and it is management’s responsibility to ensure that all employees throughout the entity, not only those in the information technology department, address cybersecurity risks. Managing this business issue is especially challenging because even an entity with a highly sophisticated cybersecurity risk management program has a residual risk that a material cybersecurity breach can occur and not be detected in a timely manner. In other words, an effective cybersecurity risk management program provides reasonable, but not absolute, assurance that material breaches are prevented or detected, and mitigated in a timely manner. Furthermore, the combined effects of entity’s dependency on information technology, the complexity of information technology networks and business applications, extensive reliance on third parties, and human nature (for instance, susceptibility to social engineering) are only likely to increase the need for effective cybersecurity risk management programs in the foreseeable future.

Potential Users of Cybersecurity Information and Their Interests

1.03 To achieve the entity’s business objectives, senior management, as well as others within the entity, frequently need information about the effectiveness of the entity’s cybersecurity risk management program, including the processes and controls designed, implemented, and operated to mitigate threats against the entity’s sensitive information and systems.

1.04 Members of a board of directors (board members)¹ need information about the cybersecurity risks an entity faces and the cybersecurity risk management program that management implements to help them fulfill their oversight responsibilities. They also want information from independent third-party assessors that will help them evaluate management’s effectiveness in managing cybersecurity risks.

1.05 Others may also need information about an entity’s cybersecurity risks and its cybersecurity risk management program to make informed decisions. For example,

• analysts and investors may benefit from information about an entity’s cybersecurity risk management program. This information is intended to help them understand the cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the entity’s value and stock price.

• business partners may need information about the entity’s cybersecurity risk management program as part of their overall risk assessment. This information is intended to help business partners determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to the entity.²

• some industry regulators may benefit from information about an entity’s cybersecurity risk management program to support their oversight role.

1.06 Analysts, investors, business partners, and regulators recognize that entity management is responsible for identifying, assessing, and mitigating cybersecurity risks. However, many are not in a position to require management to provide information about an entity’s cybersecurity measures to enable them to make better decisions; they must rely on publicly available information, such as that found in general-purpose reports or regulatory filings, to meet their needs. In response to requests from these third parties, corporate directors and senior management have begun requesting general purpose reports from independent third-party assessors on the effectiveness of the entity’s cybersecurity risk management program.

1.07 The potential users described in the previous paragraph are the primary users to whom general purpose reports on the effectiveness of the entity’s cybersecurity risk management program are directed. Individuals acting in a personal capacity often have different information needs and desires. For example, they might want information about how an entity protects credit card information used to purchase an item on the internet. Therefore, a general purpose report on the effectiveness of an entity’s cybersecurity risk management program may not always meet the information needs of such individuals. In addition, a general purpose report may include additional information that may not be easily understood by all individuals. Accordingly, although these individuals may find the report useful, they are not the primary intended users of such a report.

Cybersecurity Risk Management Examination

1.08 To enable practitioners to provide a general purpose report on the effectiveness of an entity’s cybersecurity risk management program, the AICPA has developed the cybersecurity risk management examination described in this guide. In conjunction with this guide, the AICPA has also developed description criteria for use when preparing and evaluating the description of the entity’s cybersecurity risk management program and control criteria intended to be used when evaluating the effectiveness of controls within the entity’s cybersecurity risk management program.

1.09 In the cybersecurity risk management examination, there are two distinct but complementary subject matters: (1) the description of the entity’s cybersecurity risk management program and (2) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. As the responsible party, management prepares the description and makes an assertion about the subject matters. Specifically, management’s assertion addresses whether the description was prepared in accordance with description criteria and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The practitioner examines and reports on that information in accordance with the attestation standards.³

1.10 The practitioner performs the cybersecurity risk management examination described in this guide in accordance with the AICPA’s attestation standards. In the examination, the practitioner designs and performs procedures to obtain sufficient appropriate evidence about whether the description is presented in accordance with the description criteria and whether the controls were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

1.11 Furthermore, in an examination performed under the attestation standards, the practitioner examines and reports on subject matter that is the responsibility of another party. An attestation engagement is predicated on the concept that a party other than the practitioner (that is, the responsible party) makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. In a cybersecurity risk management examination, management is ordinarily the responsible party.

1.12 The cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report. The cybersecurity risk management examination report includes three key components:

• Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions expressed by management in its assertion and by the practitioner in his or her report.⁴ Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program. The use of description criteria in the cybersecurity risk management examination is discussed further beginning in paragraph 1.33.

• Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether

— the description is presented in accordance with the description criteria and

— the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

The AICPA has also developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives. The use of control criteria in the cybersecurity risk management examination is discussed further beginning in paragraph 1.33.

• Practitioner’s report. The third component is a practitioner’s report, which contains an opinion that addresses both subject matters in the examination. Specifically, the opinion addresses whether

— the description is presented in accordance with the description criteria and

— the controls within the entity’s cybersecurity risk management program were effective⁵ to achieve the entity’s cybersecurity objectives based on the control criteria.

1.13 Because the practitioner’s report is designed to be included in the cybersecurity risk management examination report, which is intended for broad or general distribution, the practitioner’s report is intended for general use. Nevertheless, as discussed throughout this guide, practitioners may decide to restrict the use of the report to specified users.

1.14 Although this guide specifically discusses the AICPA’s cybersecurity risk management examination, a practitioner is not prohibited from performing a different examination on an entity’s cybersecurity efforts in accordance with the attestation standards. The practitioner may still find much of the guidance in this guide helpful when performing and reporting in such an examination.

Difference Between Cybersecurity and Information Security

1.15 Before the widespread use of the Internet and the World Wide Web, most businesses had only limited connectivity with information systems outside their organizations. As a result, an entity’s information security focused on the protection of its IT systems and data against unauthorized access, use, and changes from within the entity. Today, most entities conduct portions of their business in cyberspace; therefore, their IT systems are highly interconnected with other organizations. For the purposes of this guide, cyberspace is defined as an interdependent network of information system infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers through which entities interact to conduct business and share information.

1.16 An entity’s cybersecurity risks are the subset of its information security risks that arise specifically from threats and vulnerabilities related to the connection to and use of cyberspace. Cybersecurity refers to the processes and controls implemented by an entity to manage cybersecurity risks. Because the processes and controls that address cybersecurity risks also address the vast majority of the entity’s other information security risks, the terms cybersecurity and information security are often used interchangeably. The main difference between information security and cybersecurity is that information security also addresses risks that arise from computer systems that are physically isolated from other electronic systems and the protection of information stored in a format that is not accessible through electronic means (such as printed paper stored in filing cabinets). From a practical standpoint, however, the difference is minor because most entities store, process, use, and transmit information electronically. For the purposes of this guide, there is no distinction between the two terms.

1.17 By using the term cybersecurity instead of information security, board members and senior management are acknowledging the new and magnified risks inherent with doing business in cyberspace. Additionally, they recognize that the cyberspace environment is becoming increasingly hostile. The almost daily appearance of new threat actors who exploit the vulnerabilities of cyberspace for criminal or malicious purposes—and their use of new technologies to implement their attacks—increases the risks of operating in cyberspace. Thus, entities have to continually develop more effective and more targeted processes and controls to respond to those risks. This requires board members and senior management to think well beyond the traditional IT areas of networks, applications, and data stores.

Description of the Entity’s Cybersecurity Risk Management Program

1.18 As previously discussed, management’s description of the entity’s cybersecurity risk management program is designed to provide users with information about the environment in which the entity operates and the process used to develop its cybersecurity objectives, identify its information assets and the threats against them, and the processes within the cybersecurity risk management program that the entity has designed and implemented to respond to those risks. The description is intended to enable users to understand the cybersecurity risk management program and the conclusions expressed by management in its assertion and by the practitioner in his or her report. It does not, however, provide a detailed narrative of the entity’s controls nor a listing of tests of controls performed by the practitioner and the results thereof.

1.19 As used in this guide, an entity’s cybersecurity risk management program is defined as the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.

1.20 Italicized terms are defined as follows:

• Information and systems refers to information in electronic form during its use, processing, transmission, and storage and the systems that use such information to process, transmit or transfer, and store information. A system refers to infrastructure, software, people, processes, and data that are designed, implemented, and operated to work together to achieve one or more specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified requirements. As used in this document, systems include manual, automated, and partially automated systems that are used for information processing, manufacturing and production, inventory management and distribution, information storage, and support functions within an organization. Systems that have cybersecurity risks include, for example,

— manufacturing and production systems that are automated or partially automated (including the industrial control systems components);

— inventory management or distribution systems; and

— treasury and funds management and other types of back office systems.

• A security event is an occurrence, arising from actual or attempted unauthorized access or use by internal or external parties, that impairs or could impair the availability, integrity, or confidentiality of information or systems, result in unauthorized disclosure or theft of information or other assets, or cause damage to systems. A security incident is a security event that requires action on the part of an entity in order to protect information and other assets and resources.

• A compromise refers to a loss of confidentiality, integrity, or availability of information, including any resultant impairment of

— processing integrity or availability of systems or

— the integrity or availability of system inputs or outputs.

• An entity’s cybersecurity objectives are those objectives that the entity establishes to address cybersecurity risks that could otherwise threaten the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). Understanding the entity’s cybersecurity objectives is integral to the assessment and evaluation of whether controls are effective. Cybersecurity objectives are discussed in more detail later in this chapter.

1.21 The definition in paragraph 1.19 acknowledges a fundamental tenet of cybersecurity: an entity that operates in cyberspace is likely to experience one or more security events or breaches at some point in time, regardless of the effectiveness of the entity’s cybersecurity controls. Understanding this tenet is essential to dispelling user misconceptions that an effective cybersecurity risk management program will prevent all security events from occurring. In fact, because of inherent limitations in its cybersecurity risk management program, an entity may achieve reasonable, but not absolute, assurance that security events are prevented and, for those not prevented, that they are detected, responded to, mitigated against, and recovered from on a timely basis. In other words, an effective cybersecurity risk management program is one that enables the entity to detect security events on a timely basis and to respond to and recover from such events with minimal disruption to the entity’s operations.

The Entity’s Cybersecurity Objectives

1.22 According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in its 2013 Internal Control—Integrated Framework (COSO framework), internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the entity’s business objectives. Because of this relationship between internal control and objectives, the COSO framework states that management specifies suitable objectives so that the risks that threaten the achievement of the entity’s overall business objectives can be identified, assessed, and managed.

1.23 According to the COSO framework, there are three categories of objectives:

• Operations objectives. These pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss.

• Reporting objectives. These pertain to internal and external financial and nonfinancial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.

• Compliance objectives. These pertain to adherence to laws and regulations to which the entity is subject.

1.24 Cybersecurity risks are one of the types of risks that threaten the achievement of an entity’s overall business objectives. Consequently, entities often establish cybersecurity objectives that address their specific cybersecurity risks. Generally, the nature of an entity’s cybersecurity objectives varies depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors. For example, a telecommunications entity may have a cybersecurity objective related to the reliable functioning of those aspects of its operations that are deemed to be critical infrastructure, whereas an entity that promotes online dating is likely to regard the confidentiality of personal information collected from its customers as a critical factor toward the achievement of its operating objectives.

1.25 Management is responsible for establishing, and including in the description, the entity’s cybersecurity objectives with sufficient clarity to enable users to understand how the processes and controls within the entity’s cybersecurity risk management program were designed, implemented, and operated effectively to provide reasonable assurance of achieving those objectives. Because of the importance of the cybersecurity objectives to the cybersecurity risk management examination, the cybersecurity objectives established by management should be suitable for the engagement. Chapter 2, “Accepting and Planning a Cybersecurity Risk Management Examination,” discusses the attributes of suitable cybersecurity objectives.

1.26 The practitioner is responsible for determining whether the cybersecurity objectives established by management are suitable for the engagement prior to engagement acceptance. Chapter 2 also discusses that responsibility in further detail.

Effectiveness of Controls Within the Entity’s Cybersecurity Risk Management Program

1.27 In addition to providing a description of the entity’s cybersecurity risk management program, the cybersecurity risk management examination report also provides information about whether the controls the entity has designed, implemented, and operated to mitigate those risks were effective throughout the period of time covered by the engagement. For that reason, one of the subject matters of the cybersecurity risk management examination is the effectiveness of controls within an entity’s cybersecurity risk management program to achieve the entity’s cybersecurity objectives.

1.28 As used throughout this guide, the term effectiveness of controls encompasses both the suitability of the design of controls and their operating effectiveness:

• Controls were suitably designed. Suitably designed controls, if complied with satisfactorily, provide reasonable assurance of achieving the entity’s cybersecurity objectives based on the control criteria. Suitably designed controls operate as designed by persons who have the necessary authority and competence to perform the controls.

• Controls operated effectively. Suitably designed controls operate effectively if they provide reasonable assurance of achieving the entity’s cybersecurity objectives based on the control criteria.

1.29 Because there are specific considerations when evaluating each, chapter 3, Performing the Cybersecurity Risk Management Examination,” of this guide contains separate discussions of suitability of design and operating effectiveness to support the practitioner’s overall opinion on the effectiveness of controls to achieve the entity’s cybersecurity objectives.

Overview of the Cybersecurity Risk Management Examination

1.30 The cybersecurity risk management examination is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).

1.31 There are two subject matters in the cybersecurity risk management examination:

1. A description of the entity’s cybersecurity risk management program and

2. The effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives

1.32 As previously mentioned, management is usually the responsible party (that is, the party responsible for the subject matter) in a cybersecurity risk management examination because management is ultimately responsible for the entity’s cybersecurity risk management program; therefore, it is management’s responsibility to develop and present the description of the entity’s cybersecurity risk management program. The cybersecurity risk management examination is predicated on the fact that management will prepare a written description of the entity’s cybersecurity risk management program⁶ and a written assertion⁷ about whether the description is presented in accordance with the description criteria and whether the controls were effective to achieve the entity’s cybersecurity objectives.

1.33 Paragraph .10 of AT-C section 105 defines criteria as “the benchmarks used to measure or evaluate the subject matter.” To enable the preparation and evaluation of the cybersecurity information, two distinct yet complementary sets of criteria are used in the cybersecurity risk management examination:

1. Description criteria are used to prepare, and evaluate the presentation of, the description of the entity’s cybersecurity risk management program.

2. Control criteria are used to evaluate the effectiveness of controls to achieve the entity’s cybersecurity objectives.

1.34 Management is responsible for selecting the criteria to be used. ATC section 105 states that criteria used in an examination engagement must be both suitable and available⁸ before a practitioner can accept the examination. Chapter 2 of this guide provides guidance for determining whether the criteria used in the cybersecurity risk management examination are suitable and available. It also discusses other responsibilities of management and the practitioner in the examination.

1.35 The performance and reporting guidance in this guide focuses on a cybersecurity risk management examination in which (a) the description criteria presented in appendix C are used to prepare the description and (b) the trust services criteria for security, availability, and confidentiality presented in appendix D are used as the control criteria. Nevertheless, this guidance may also be helpful to a practitioner engaged to perform a cybersecurity risk management examination in which management has elected to use other description and control criteria.

Other Information About the Cybersecurity Risk Management Examination

1.36 In the cybersecurity risk management examination, the practitioner expresses an opinion on whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. However, the practitioner does not express an opinion on certain matters related to compliance, privacy, or processing integrity matters. For example, in the cybersecurity risk management examination, the practitioner does not

1. Express an opinion on compliance with laws and regulations. The cybersecurity risk management examination is not designed to enable a practitioner to opine on whether an entity has complied with laws and regulations. However, it does address IT controls the entity has designed, implemented, and operated to support compliance with those laws or regulations. For example, if an entity has designed and implemented controls over its system to protect the protected health information (PHI) of its customers in accordance with the Health Insurance Portability and Accountability Act, the cybersecurity risk management examination would address those controls. In fact, the illustrative cybersecurity objectives described in paragraph 2.59 include a cybersecurity objective related to compliance with applicable laws and regulations, which involves the protection of information subject to privacy requirements from unauthorized access and disclosure.

2. Express an opinion with regard to privacy and processing integrity criteria. Similar to the previous example, the cybersecurity risk management examination is not designed to enable a practitioner to express an opinion on whether an entity’s controls operated effectively to achieve the entity’s cybersecurity objectives based on the processing integrity or privacy criteria included in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).⁹ However, it does address the effectiveness of cybersecurity controls that would support the achievement of the entity’s processing integrity and privacy objectives. For example, if a drug manufacturer has designed and implemented policies, processes, and controls over its online prescription ordering systems to maintain the confidentiality of customers’ PHI during the online ordering process, the cybersecurity risk management examination would address those controls. However, it would not address privacy-specific procedures such as the provision of notice and obtaining consent for use of PHI.

Time Frame of Examination

1.37 Paragraph .A1 of AT-C section 105 states that the subject matter of an attestation examination may be as of a point in time or for a period of time. Management is responsible for determining the time frame to be covered by the description. Regardless of the time frame selected, the cybersecurity risk management examination contemplates that the time frame is the same for both the description and management’s assertion. Furthermore, the cybersecurity risk management examination in this guide contemplates that management elects a specified period of time; accordingly, in this guide, the guidance on evaluating the description and the effectiveness of controls is based on a specified period of time. When reporting on a point in time, the practitioner should use professional judgment when designing his or her examination procedures.

Comparison of the Cybersecurity Risk Management Examination With an Audit of Internal Control Over Financial Reporting That is Integrated With an Audit of Financial Statements

1.38 The cybersecurity risk management examination ordinarily addresses all of the entity’s overall business objectives, including operations, compliance, and reporting. In contrast, an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit) only addresses the entity’s external financial reporting objectives. Accordingly, the auditor’s procedures on IT controls in an integrated audit are not sufficient to enable him or her to provide an opinion on whether controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.¹⁰

Cybersecurity Risk Management Examination that Addresses only a Portion of the Entity’s Cybersecurity Risk Management Program

1.39 Although the cybersecurity risk management examination discussed in this guide usually addresses an entity-wide cybersecurity risk management program, there may be circumstances in which management may engage the practitioner to examine and report on only a portion of that program, such as one of the following:

• One or more specific business units, segments, or functions of an entity

— when those units, segments, or functions operate under an entity-wide cybersecurity risk management program or

— when those units, segments, or functions operate under an independent cybersecurity risk management program

• One or more specific types of information used by the entity

1.40 For example, assume an entity is selling a particular division of its business that operates under a separate, independent cybersecurity risk management program, and potential buyers have expressed concerns about the cybersecurity risks they may be taking on through the potential purchase. In response to those concerns, management might engage a practitioner to examine and report on the cybersecurity risk management program of that division only.

1.41 Chapter 2 discusses in further detail accepting a cybersecurity risk management examination when the cybersecurity risk management examination addresses only a portion of the entity-wide cybersecurity risk management program.

Cybersecurity Risk Management Examination That Addresses Only the Suitability of the Design of Controls (Design-Only Examination)

1.42 There may be circumstances in which management may not be prepared to make an assertion about whether the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives. In such circumstances, rather than making an assertion about whether controls were effective to achieve the entity’s cybersecurity objectives, management may make an assertion only about the suitability of the design of controls that have been implemented within the program and engage the practitioner to examine and report on such information.

1.43 In this guide, such an examination is referred to as a design-only cybersecurity risk management examination (or a design-only examination) and includes the following two subject matters: (1) the description of the entity’s cybersecurity risk management program and (2) the suitably of the design of controls implemented within that program to achieve the entity’s cybersecurity objectives. Accordingly, a design-only examination would not provide report users with sufficient information to assess the effectiveness of controls within the entity’s cybersecurity risk management program. However, it may be useful to report users who want to obtain an understanding of the entity’s cybersecurity risk management program and the key security policies and processes within that program that the entity has implemented to achieve its cybersecurity objectives.

1.44 Chapter 2 discusses circumstances in which a design-only examination might be appropriate and factors that practitioners consider when accepting such an engagement.

Other Engagements Related to Controls Over Security, Availability, Processing Integrity, Confidentiality, or Privacy

1.45 Although the focus of this guide is on a practitioner engaged to perform and report on the cybersecurity risk management examination, there are other engagements a practitioner may be engaged to perform that also address an entity’s controls over the security, availability, processing integrity, confidentiality, and privacy of information. This section describes other types of engagements and discusses the differences between them and the cybersecurity risk management examination.

SOC 2 Engagements

1.46 An entity’s management is responsible for assessing and addressing risks faced by the entity related to reporting, compliance with laws and regulations, and the efficiency and effectiveness of its operations. When an entity engages a service provider (referred to as a service organization in this context) to perform certain processes or functions, the entity (referred to as a user entity) exposes itself to additional risks related to the service organization’s system. Although management of a user entity can delegate tasks or functions to a service organization, the ownership and responsibility for the product or service provided to customers of the user entity cannot be delegated. Management of the user entity is held responsible by those charged with governance (for example, board members), customers, shareholders, regulators, and other affected parties for establishing effective internal control over outsourced functions.

1.47 To assess and address the risks associated with an outsourced service, management of the user entity needs information about the service organization’s controls over the system through which the services are provided. When assessing controls at a service organization that may be relevant to and affect the services provided to user entities, management of a user entity may ask the service organization for a service auditor’s report on a description of the service organization’s system and the design and operating effectiveness of controls over the service organization’s system that may be relevant to the security, availability, or processing integrity of the system or the system’s ability to maintain the confidentiality or privacy of the information processed for user entities. Obtaining a service auditor’s report from a service organization provides management of the user entity with information that may be useful in assessing risk but does not relieve the user entity of its responsibilities with regard to an effective system of internal control.

1.48 In a SOC 2 engagement, the service auditor examines and reports on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of the controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy against the trust services criteria in TSP section 100. AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) provides guidance to service auditors engaged to perform a SOC 2 engagement.

Comparison of a Cybersecurity Risk Management Examination and a SOC 2 Engagement

1.49 Appendix B presents a comparison of the cybersecurity risk management examination with a SOC 2 engagement and related report.

Engagements Under the AICPA Consulting Standards

1.50 In addition to examination engagements, practitioners may be engaged to perform procedures on an entity’s cybersecurity risk management program in accordance with CS section 100, Consulting Services: Definitions and Standards (AICPA, Professional Standards). A nonassurance consulting engagement may provide information and recommendations to management and often precedes an attestation engagement. Practitioners may find the description criteria presented in appendix C, the control criteria presented in appendix D, and the performance and reporting guidance in this guide helpful when conducting such engagements.

Professional Standards

1.51 This guide provides guidance for practitioners performing the cybersecurity risk management examination under the attestation standards. In addition to the performance and reporting guidance in the attestation standards, practitioners performing a cybersecurity risk management examination are required to comply with the requirements of other professional standards, such as professional ethics and quality control standards. This section discusses each of the professional standards that apply to a cybersecurity risk management examination.

Attestation Standards

1.52 AT-C section 105 applies to all engagements in which a practitioner in the practice of public accounting is engaged to issue, or does issue, an attestation report on subject matter or an assertion about subject matter that is the responsibility of another party. AT-C section 205 contains performance, reporting, and application guidance that applies to all examination engagements under the attestation standards. Therefore, a practitioner engaged to perform a cybersecurity risk management examination should comply with all relevant requirements in both of those AT-C sections.

1.53 When a cybersecurity risk management examination is performed for the benefit of a government body or agency, or the practitioner agrees to follow specified government standards, guides, procedures, statutes, rules, or regulations, paragraph .17 of AT-C section 105 requires the practitioner to comply with those governmental requirements as well as with other applicable AT-C sections.

1.54 This guide provides additional application guidance to assist practitioners engaged to perform and report on a cybersecurity risk management examination. Because this guide is an interpretive publication, paragraph .21 of AT-C section 105 requires the practitioner to consider this guidance when planning and performing a cybersecurity risk management examination.

1.55 In some cases, this guide repeats or refers to the requirements in AT-C section 105 and AT-C section 205 when describing those requirements in the context of a cybersecurity risk management examination. Although not all of the requirements in AT-C section 105 and AT-C section 205 are repeated or referred to in this guide, the practitioner is responsible for complying with all relevant requirements contained in those sections.

Code of Professional Conduct

1.56 The AICPA Code of Professional Conduct (code) provides guidance and rules that apply to all members in the performance of their professional responsibilities. The code includes the fundamental principles that govern the performance of all professional services performed by CPAs and, among other things, call for CPAs to maintain high ethical standards and to exercise due care in the performance of all services. When providing attestation services, the “Considering or Subsequent Employment or Association With an Attest Client” subtopic (AICPA, Professional Standards, ET sec. 1.279) of the “Independence Rule” also requires CPAs to be independent in both fact and appearance. Independence in a cybersecurity risk management examination is discussed in more detail beginning in paragraph 2.66 of this guide.

Quality in the Cybersecurity Risk Management Examination

1.57 Paragraphs .06–.07 of AT-C section 105 discuss the relationship between the attestation standards and the AICPA quality control standards. Quality control systems, policies, and procedures are the responsibility of a firm when conducting its attestation practice. Under QC section 10, A Firm’s System of Quality Control (AICPA, Professional Standards), a CPA firm has an obligation to establish and maintain a system of quality control to provide it with reasonable assurance that

the firm and its personnel comply with professional standards and applicable legal and regulatory requirements and
reports issued by the firm are appropriate in the circumstances.

1.58 QC section 10 additionally states that the firm should establish criteria against which all engagements are to be evaluated to determine whether an engagement quality control review should be performed. If the engagement meets the established criteria, the nature, timing, and extent of the engagement quality control review should follow the guidance discussed in that standard and the requirements in paragraph .42 of AT-C section 105.

1.59 Paragraph .33 of AT-C section 105 states that the engagement partner should take responsibility for the overall quality of the attestation engagement, including matters such as client acceptance and continuance, compliance with professional standards, and maintenance of appropriate documentation, among others. As part of those responsibilities, paragraph .32 of AT-C section 105 states that the engagement partner should be satisfied that all members of the engagement team, including external specialists, have the competence and capabilities to perform the engagement in accordance with professional standards. Chapter 2 discusses assessing the competence and capabilities that members of the engagement team need to possess to perform the cybersecurity risk management examination.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 1: Introduction and Background

Create new playlist

Sign In

Sign Up

Chapter 1

Introduction and Background