The AICPA has issued its much awaited standard on cyber security. The new guidance, referred to as the “Cyber SOC,” allows CPA’s to audit a company’s cyber security. In the past, organizations relied on various consultants, internal resources, and sometimes just plan luck, in identifying and mitigating cyber risks. The Cyber SOC fundamentally changes how cyber threats are evaluated and managed. It allows for an independent, objective look at an organizations processes, policies and controls around cyber risks.
Board of Directors have the most to gain from the new standard. Cyber risks are pervasive and can impact every area of an entity’s operations. Astute board members are asking questions about cyber risks, in part driven by their own learning and in part by their external auditor’s questions. Currently, the PCAOB is including questions to audit firms regarding their evaluation of the company’s cyber position. Right now, these are just questions. In the near future, it’s entirely possible that cyber risks will be included as part of the 10-K (there’s legislation in the House now that would require cyber to be included in SOX certifications and testing). Once the trigger has been pulled, the PCAOB will require auditors to perform detailed testing around cyber risks and controls.
All these changes leave board members in a difficult position. Very few boards have a sophisticated understanding of cyber risks. The risks change almost daily and can relate to complicated technology issues. However, boards need to continue to ask questions around cyber. They should also seek assurance as to the robustness of internal controls and processes related to cyber risks. That’s where the Cyber SOC is instrumental. The standard uses the same framework of management description of controls, control objective and control testing as is used in Service Organization Control Reporting (now renamed System and Organization Control Reporting).
The Cyber SOC framework can be used to perform a readiness assessment, which is a dry run for the formal SOC audit. In the readiness assessment, the auditor benchmarks the organizations current cyber control framework against the Cyber SOC control objectives. This benchmarking allows for the identification of gaps in the cyber control environment that can then be remediated. It’s easy to imagine a Board requesting a Cyber SOC readiness assessment and then monitoring progress against the gap analysis on a quarterly basis.
Once the readiness assessment is performed and all gaps mitigated, a SOC audit can be performed. In the audit, each cyber control will be tested by the auditor. This approach alleviates concern about the robustness and operating effectiveness of the cyber controls as each key control would be tested. A report summarizing the controls, testing and results should then be provided to the Board as part of their oversight responsibilities.
The Cyber SOC is one of the next generation services from the AICPA. It’s incredibly valuable for organizations, and just as important to their Board members in identifying and managing cyber risks.