If you can't read please download the document
Upload
donhan
View
236
Download
9
Embed Size (px)
Citation preview
An independent member of UHY International UHY LLP 2017 All Rights Reserved
AICPA UPDATES TO ATTESTATION STANDARDSAICPA AUDITING STANDARDS BOARD
An independent member of UHY International UHY LLP 2017 All Rights Reserved
In April 2016, the AICPA replaced Statement on Auditing Standards No. 16 (SSAE 16) with SSAE 18, to address concerns over the clarity, length and complexity of the AICPA standards.
Beginning May 1, 2017 , all SOC 1 attestations must be performed in accordance with SSAE 18, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AT-C section 320).
SSAE 18 consolidated SSAEs 1-17 (including SSAE 16), and becomes effective as of May 1, 2017.
As with all attestation standards, SSAE 18 is meant for practitioners; it is not a certification for service organizations.
2
SSAE 18: NEW SOC 1 STANDARD
An independent member of UHY International UHY LLP 2017 All Rights Reserved
In September 2016, the AICPAs proposed revision of the current SOC 2 standards which utilize TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
Effective June 15, 2018, all practitioners are required to use the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy when providing attestation or consulting services which specify use of the Trust Services Criteria.
The updated Trust Services Criteria include the 2013 COSO framework, and allows the trust services criteria to be used in entity-wide examinations.
The 2013 COSO framework is the leading framework for assessing the design and effectiveness of internal control and evaluating the effectiveness of an entitys internal control over financial reporting (ICFR).
3
UPDATED TRUST SERVICES CRITERIA
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/ExposureDrafts/ASEC_ED_Rev_Trust_Services.pdf
An independent member of UHY International UHY LLP 2017 All Rights Reserved
AICPAS CYBERSECURITY REPORTING WHAT WE KNOW
The AICPA established a working group under the auspices of the Assurance Services Executive Committee (ASEC) to work in collaboration with the Auditing Standards Board to develop a reporting framework. The key steps being undertaken by the working group are:
Identify cybersecurity reporting frameworks Develop a preliminary approach to cybersecurity reporting Develop contents for a description of an organizations cybersecurity program Identify criteria for assessing effectiveness of cybersecurity program controls
4
An independent member of UHY International UHY LLP 2017 All Rights Reserved
In September 2016, the AICPA issued two proposals that provide a framework for evaluating how a company manages cybersecurity risk.
The first proposal provides criteria for developing managements description of an entitys cybersecurity program (Description criteria) and for practitioners use to report on managements description.
The second proposal provides criteria for evaluating the design and operating effectiveness of cybersecurity program controls (Control criteria).
In addition to two proposals, a cybersecurity attestation guide is currently under development. To date, this guide does not require the use of AICPAs proposed Description or Control criteria. Rather, management and the auditor may use any suitable framework for their cybersecurity examination.
5
PROPOSED CYBERSECURITY STANDARDS
https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/exposuredrafts/asec_ed_criteria_cyber_engagement.pdfhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/ExposureDrafts/ASEC_ED_Rev_Trust_Services.pdf
An independent member of UHY International UHY LLP 2017 All Rights Reserved6
CYBERSECURITY ATTESTATION V. CYBERSECURITY RISK ASSESSMENT
Cybersecurity Attestation Cybersecurity Risk Assessment
What is the purpose?
Primarily to provide a report that addresses the needs of external users, who need information to help them evaluate managements process for managing cybersecurity risks.
To review an entities technology management and business processes in order to describe the entitys current risk management posture, identify gaps or weaknesses and provide directional recommendations to remediate all findings identified.
Who are the intended users?
Third-parties whose decisions may be affected by the effectiveness of the entitys cybersecurity risk management program
Business process managers, IT management and executive leadership
What are the criteria for the engagement?
To date, any suitable cybersecurity framework or; NIST 800-53 Framework - Security and Privacy Controls
The AICPA Cybersecurity Attestation Guide [Currently under development]
Is the report appropriate for general use or restricted to specified parties?
Appropriate for general use Restricted to specified parties
Aicpa updates to attestation standardsSlide Number 2Slide Number 3AICPAs Cybersecurity reporting what we knowSlide Number 5Slide Number 6