Few people, I suspect, spend their free time combing through exposure drafts from the AICPA or the Auditing Standards Board. However, it’s our job to know what changing in the accounting and attestation standards and make sure you are aware. So there are a few changes coming your way that we recommend brushing up on so you can impress your friends when the topic of internal control reporting comes up and the next cocktail party.
It starts with the name
The Auditing Standards Board (ASB) and AIPCA have been hard at work amending and updating the SOC standards for 2017, starting with the name: SOC. For many years, the report for internal controls over financial reporting for a service organization were audited under SAS 70. Then, the standards were updated and allowed multiple types of engagements to achieve different objectives. You’ll recognize them as SSAE 16/SOC 1, SOC 2, or SOC 3. In these instances, “SOC” meant “Service Organization Control Reports”. But now, “service organization control” has gone the way of the SAS 70.
Beginning in 2017 the AICPA has introduced the term “system and organization controls” as the new definition of SOC engagements. The basis of the engagements is substantially the same but with new names.
- SOC 1® – SOC for Service Organizations: ICFR. Addresses the controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.
- SOC 2® – SOC for Service Organizations: Trust Services Criteria. Addresses entities’ controls over the security, availability, confidentiality, processing integrity or privacy of information.
- SOC 3® – SOC for Service Organizations: Trust Services Criteria for General Use Report. A CPA’s opinion report that may be made available for general use.
- SOC for Cybersecurity. An examination of entities’ cybersecurity risk management program and related controls.
CPAs and Cybersecurity
You are likely familiar with the first three types of SOC audits. But one you haven’t seen before is SOC for Cybersecurity. The AICPA has been developing a framework to allow CPAs to conduct an examination on an entity’s cybersecurity risk management program. It will be similar to a SOC 2 in that the engagement will include a description of an entity’s risk management program and will be supported by an amended Trust Services Criteria which more specifically addresses cybersecurity.
The Risk Advisory Services team is closely following the information coming from the AICPA about the new SOC for Cybersecurity. From our years of experience applying the Trust Services framework and performing IT audits and vulnerability assessments, we are in the unique position to quickly begin conducting SOC for Cybersecurity engagements when the final guidance becomes available. In the meantime, we can help identify weaknesses in your internal controls and cybersecurity preparedness (albeit, without the weight of a CPA’s opinion attached to it). Be on the lookout for an official announcement later this year about SOC for Cybersecurity and other cybersecurity initiatives from the AICPA.
Need help determining what type of SOC engagement you need? Download our SOC Guide
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.