Financial Reporting and Regulatory Update

First Quarter 2018

From the AICPA

Cybersecurity Examinations Paper

The AICPA released a paper, “SOC 2 Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions,” to clarify the differences between a System and Organization Controls (SOC) for cybersecurity examination (that is, an examination based on the AICPA’s attestation guide, “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls”) and a SOC 2 examination. According to the paper, both examinations can provide useful information about an entity’s cybersecurity risk management program and related controls, but key differences exist.

The SOC for cybersecurity examination guide was released by the AICPA on April 26, 2017, as one of three parts in a framework for reporting on an entity’s cybersecurity risk management program and controls. A SOC for cybersecurity examination addresses an entity’s cybersecurity risk management program and controls, and the examination report is designed to be a general use report, which means the report is not restricted to specified parties. This type of examination requires a description of an entity’s cybersecurity risk management program and controls that satisfies the AICPA’s “Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.”

The SOC 2 examination, on the other hand, addresses controls at a service organization (that is, a third-party service provider) that cover the service organization’s systems used to process a particular entity’s data or information, and the report typically is restricted to specified users. In addition, the SOC 2 examination is specific to pre-established control criteria (that is, the AICPA’s trust services criteria) that address data security, availability, processing integrity, confidentiality, or privacy.