An independent member of UHY International UHY LLP 2017 All Rights Reserved

AICPA UPDATES TO ATTESTATION STANDARDSAICPA AUDITING STANDARDS BOARD

An independent member of UHY International UHY LLP 2017 All Rights Reserved

In April 2016, the AICPA replaced Statement on Auditing Standards No. 16 (SSAE 16) with SSAE 18, to address concerns over the clarity, length and complexity of the AICPA standards.

Beginning May 1, 2017 , all SOC 1 attestations must be performed in accordance with SSAE 18, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AT-C section 320).

SSAE 18 consolidated SSAEs 1-17 (including SSAE 16), and becomes effective as of May 1, 2017.

As with all attestation standards, SSAE 18 is meant for practitioners; it is not a certification for service organizations.

2

SSAE 18: NEW SOC 1 STANDARD

An independent member of UHY International UHY LLP 2017 All Rights Reserved

In September 2016, the AICPAs proposed revision of the current SOC 2 standards which utilize TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

Effective June 15, 2018, all practitioners are required to use the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy when providing attestation or consulting services which specify use of the Trust Services Criteria.

The updated Trust Services Criteria include the 2013 COSO framework, and allows the trust services criteria to be used in entity-wide examinations.

The 2013 COSO framework is the leading framework for assessing the design and effectiveness of internal control and evaluating the effectiveness of an entitys internal control over financial reporting (ICFR).

3

UPDATED TRUST SERVICES CRITERIA

http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/ExposureDrafts/ASEC_ED_Rev_Trust_Services.pdf

An independent member of UHY International UHY LLP 2017 All Rights Reserved

AICPAS CYBERSECURITY REPORTING WHAT WE KNOW

The AICPA established a working group under the auspices of the Assurance Services Executive Committee (ASEC) to work in collaboration with the Auditing Standards Board to develop a reporting framework. The key steps being undertaken by the working group are:

Identify cybersecurity reporting frameworks Develop a preliminary approach to cybersecurity reporting Develop contents for a description of an organizations cybersecurity program Identify criteria for assessing effectiveness of cybersecurity program controls

4

An independent member of UHY International UHY LLP 2017 All Rights Reserved

In September 2016, the AICPA issued two proposals that provide a framework for evaluating how a company manages cybersecurity risk.

The first proposal provides criteria for developing managements description of an entitys cybersecurity program (Description criteria) and for practitioners use to report on managements description.

The second proposal provides criteria for evaluating the design and operating effectiveness of cybersecurity program controls (Control criteria).

In addition to two proposals, a cybersecurity attestation guide is currently under development. To date, this guide does not require the use of AICPAs proposed Description or Control criteria. Rather, management and the auditor may use any suitable framework for their cybersecurity examination.

5

PROPOSED CYBERSECURITY STANDARDS

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/exposuredrafts/asec_ed_criteria_cyber_engagement.pdfhttp://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/DownloadableDocuments/ExposureDrafts/ASEC_ED_Rev_Trust_Services.pdf

An independent member of UHY International UHY LLP 2017 All Rights Reserved6

CYBERSECURITY ATTESTATION V. CYBERSECURITY RISK ASSESSMENT

Cybersecurity Attestation Cybersecurity Risk Assessment

What is the purpose?

Primarily to provide a report that addresses the needs of external users, who need information to help them evaluate managements process for managing cybersecurity risks.

To review an entities technology management and business processes in order to describe the entitys current risk management posture, identify gaps or weaknesses and provide directional recommendations to remediate all findings identified.

Who are the intended users?

Third-parties whose decisions may be affected by the effectiveness of the entitys cybersecurity risk management program

Business process managers, IT management and executive leadership

What are the criteria for the engagement?

To date, any suitable cybersecurity framework or; NIST 800-53 Framework - Security and Privacy Controls

The AICPA Cybersecurity Attestation Guide [Currently under development]

Is the report appropriate for general use or restricted to specified parties?

Appropriate for general use Restricted to specified parties

Aicpa updates to attestation standardsSlide Number 2Slide Number 3AICPAs Cybersecurity reporting what we knowSlide Number 5Slide Number 6