As you may have heard, the AICPA’s Assurance Services Executive Committee (ASEC) has released the “Guide – Reporting on an Entity’s Cybersecurity Risk Management Program and Controls” on May 1, 2017. As a follow up, we would like to provide more clarity into the frequently asked questions around the SOC for Cybersecurity programs.
System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. It consists of SOC for Service Organizations (SOC 1, SOC 2 and SOC 3), SOC for Cybersecurity and SOC for supply chain vendors (under development).
SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. A cybersecurity risk management examination engagement can be performed by CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
A CPA (referred to as a practitioner in an attestation engagement) performs and reports in the cybersecurity risk management examination in accordance with the Statements on Standards for
A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use. The report includes the following three key components:
Unlike a SOC 1 or SOC 2 report that have limited distribution, the cybersecurity risk management examination report is intended for broad or general distribution.
An entity may engage the practitioner to perform one of the two types of cybersecurity risk management examinations as described below.
Yes, an entity may engage the practitioner to examine and report on only a portion of its entity-wide cybersecurity risk management program, such as one or more specific business units, segments or functions of an entity.
SOC for Cybersecurity report provides transparency to key elements of the entity’s cybersecurity risk management program, improves communications and enhances confidence in the integrity of the information presented as it is performed by an independent third party assessor. The intended audience for this examination consists of:
The cybersecurity risk management examination is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
CPAs can use the SOC for Cybersecurity criteria and guidance to provide advisory engagements to help their clients strengthen their cybersecurity risk management programs. Or, as an organization reaches a state of readiness, an independent CPA can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
More information regarding the new SOC for Cybersecurity can be found on AICPA’s SOC for Cybersecurity page.
For more insight into ensuring your organization is cyber secure and has the policies and procedures in place, contact Withum’s SOC for Cybersecurity or Cybersecurity and Information Security Services team. Withum’s team has seven of the nation’s first certified in SOC for Cybersecurity by the AICPA and is well equipped to provide cyber services through its talented team of professionals experienced in a variety of cybersecurity assessment engagements.