SOC for Cybersecurity FAQs

As you may have heard, the AICPA’s Assurance Services Executive Committee (ASEC) has released the “Guide – Reporting on an Entity’s Cybersecurity Risk Management Program and Controls” on May 1, 2017. As a follow up, we would like to provide more clarity into the frequently asked questions around the SOC for Cybersecurity programs.

What is SOC for Cybersecurity?

System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. It consists of SOC for Service Organizations (SOC 1, SOC 2 and SOC 3), SOC for Cybersecurity and SOC for supply chain vendors (under development).

SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. A cybersecurity risk management examination engagement can be performed by CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.

Who can perform a cybersecurity risk management examination?

A CPA (referred to as a practitioner in an attestation engagement) performs and reports in the cybersecurity risk management examination in accordance with the Statements on Standards for
Attestation Engagements.

What are the key components of a cybersecurity risk management examination report?

A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use. The report includes the following three key components:

1. Management’s description of the entity’s cybersecurity risk management program. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. Management uses the description criteria to prepare and evaluate an entity’s cybersecurity risk management program.
2. Management’s assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
3. Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

Is there any restriction on distribution of this report?

Unlike a SOC 1 or SOC 2 report that have limited distribution, the cybersecurity risk management examination report is intended for broad or general distribution.

What are the different types of cybersecurity risk management examinations?

An entity may engage the practitioner to perform one of the two types of cybersecurity risk management examinations as described below.

1. Cybersecurity risk management examination. This examination addresses the effectiveness of controls within the entity’s cybersecurity risk management program.
2. Design-only Examination. This examination addresses only the suitability of the design of controls.

Can an organization get a cybersecurity risk management examination done for a business unit and not the entire organization?

Yes, an entity may engage the practitioner to examine and report on only a portion of its entity-wide cybersecurity risk management program, such as one or more specific business units, segments or functions of an entity.

Who are the intended audience and what is the benefit of this examination?

SOC for Cybersecurity report provides transparency to key elements of the entity’s cybersecurity risk management program, improves communications and enhances confidence in the integrity of the information presented as it is performed by an independent third party assessor. The intended audience for this examination consists of:

• Board members/directors needing information about the cybersecurity risks an entity faces
• Analysts and investors needing to understand the entity’s cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and consequently, have an adverse impact on the business’s value and stock price.
• Business partners may benefit from information about an entity’s cybersecurity risk management program as part of their overall risk assessment.
• Some industry regulators may benefit from information about an entity’s cybersecurity risk management program to support their oversight role.

What standards and framework will be used for the examination?

The cybersecurity risk management examination is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).

How should an organization get ready for a SOC for Cybersecurity examination?

CPAs can use the SOC for Cybersecurity criteria and guidance to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Or, as an organization reaches a state of readiness, an independent CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.

Where can I find more resources and guidance regarding SOC for Cybersecurity?

More information regarding the new SOC for Cybersecurity can be found on AICPA’s SOC for Cybersecurity page.
For more insight into ensuring your organization is cyber secure and has the policies and procedures in place, contact Withum’s SOC for Cybersecurity or Cybersecurity and Information Security Services team. Withum’s team has seven of the nation’s first certified in SOC for Cybersecurity by the AICPA and is well equipped to provide cyber services through its talented team of professionals experienced in a variety of cybersecurity assessment engagements.