As you may have heard, the AICPA’s Assurance Services Executive Committee (ASEC) released the Guide – Reporting on an Entity’s Cybersecurity Risk Management Program and Controls on May 1, 2017. Since this is a relatively new type of SOC audit, we thought we’d provide some clarity into the frequently asked questions we get around SOC for Cybersecurity programs.
System and Organization Controls (SOC) is a suite of service offerings certified CPAs provide in connection with system-level controls of a service organization, or entity-level controls of other organizations. Traditional SOC audits typically include three reports for different distribution purposes, the SOC 1, the SOC 2 and the SOC 3. However, reporting on an entity’s cybersecurity risk management program and controls requires a separate SOC for Cybersecurity report. SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. When someone requests a SOC for Cyber audit, a cybersecurity compliance examination engagement is performed by certified CPAs. In this examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
An AICPA certified CPA (referred to as a practitioner in an attestation engagement) performs and reports on the cybersecurity compliance program in accordance with the Statements on Standards laid out in the Attestation Engagement.
A cybersecurity risk management examination results in the issuance of a SOC for Cybersecurity Report that is considered a general use report that includes the following three key components:
Unlike SOC 1 or SOC 2 reports that have limited distribution, the SOC for Cybersecurity report is intended for broad or general distribution.
An entity may engage the practitioner to perform one of the two types of SOC for Cybersecurity audits as described below.
Yes! An entity may engage the practitioner to examine and report on only a portion of its cybersecurity risk management program, such as one or more specific business units, segments or functions.
A SOC for Cybersecurity report provides transparency to key elements of the entity’s cybersecurity compliance program, improves communications, and enhances confidence in the integrity of the information presented as it is performed by an independent third party assessor. The intended audience for this examination consists of:
The SOC for Cybersecurity report is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
Internal CPAs can try and navigate through the AICPA SOC for Cybersecurity criteria and guidance, but that can get complicated — especially if your CPA isn’t certified. More commonly, as an organization reaches a state of readiness, they engage with an independent CPA who can perform the SOC audit and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
For more insight into ensuring your organization is cyber secure and has the policies and procedures in place, contact Withum’s SOC for Cybersecurity or Cybersecurity and Information Security Services team. Withum’s team has seven of the nation’s first certified in SOC for Cybersecurity by the AICPA and is well equipped to provide cyber services through its talented team of professionals experienced in a variety of cybersecurity assessment engagements.