The Association of International Certified Professional Accountants (AICPA) testified before the DOL’s ERISA Advisory Council on Employee Welfare and Pension Benefit Plans on cybersecurity issues affecting health benefit plans on July 18, 2022.
The testimony addressed:
Cybersecurity risks faced by health benefit plans
Plan auditor’s responsibility for evaluating cybersecurity risk and controls in an audit of a plan’s financial statements
Cybersecurity services CPAs can provide -- outside the basic financial statements -- to help plan management assess the effectiveness of a service organization’s controls and to communicate such information to users
Overview of AICPA’s System and Organization Control (SOC) Suite of Services and related reporting frameworks, with a focus on how SOC 2 reports and SOC for Cybersecurity reports can provide plan management with information about a service organization’s (or other organization’s) cybersecurity efforts
Appendix A identifies differences between SOC 1, SOC 2, and SOC for Cybersecurity examinations and related reports.