The AICPA has issued a much-anticipated standard on cyber security. The new guidance, referred to as the “Cyber SOC,” creates a process that CPA’s can use to review and report on a company’s cyber security. In the past, organizations relied on various consultants, internal resources, and sometimes just plain luck, to identify and mitigate cyber risks. The Cyber SOC fundamentally changes how cyber threats are evaluated and managed. It allows for an independent, objective look at an organization’s processes, policies and controls around cyber risks.
Boards of Directors have much to gain from the new standard. Very few boards have a sophisticated understanding of cyber risks. The risks change almost daily and can relate to complicated technology issues. The Cyber SOC will provide a much more consistent benchmark of a business’ cyber security. The standard uses the same framework of management description of controls, control objective and control testing used in Service Organization Control Reporting (now renamed System and Organization Control Reporting).
Public and middle-market businesses can expect requests for a Cyber SOC report from lenders and potential investors. Given the importance of cyber security in all sectors of the economy, it is expected that this new report will become a standard resource for anyone considering an equity stake in or a loan to a business seeking capital.
As with previous SOC reports, the Cyber SOC framework allows for a readiness assessment that can be used as a dry run for the formal SOC engagement. In the readiness assessment, the CPA benchmarks the organization’s current cyber control framework against the Cyber SOC control objectives. This benchmarking allows for the identification of gaps in the cyber control environment that can then be remediated.
Once the readiness assessment is performed and all gaps mitigated, a SOC review can be performed. Each cyber control will be tested. This approach alleviates concern about the robustness and operating effectiveness of the cyber controls as each key control would be tested. A report summarizing the controls, testing and results should then be provided to the Board as part of their oversight responsibilities.
The Cyber SOC is one of the next generation services from the AICPA. It’s incredibly valuable for organizations, and just as important to their Board in identifying and managing cyber risks.
For weekly insights into enterprise, please sign up here