As you may have heard, the AICPA’s Assurance Services Executive Committee (ASEC) released the Guide – Reporting on an Entity’s Cybersecurity Risk Management Program and Controls on May 1, 2017. Since this is a relatively new type of SOC audit, we thought we’d provide some clarity into the frequently asked questions we get around SOC for Cybersecurity programs.
What is a SOC for Cybersecurity Audit?
System and Organization Controls (SOC) is a suite of service offerings certified CPAs provide in connection with system-level controls of a service organization, or entity-level controls of other organizations. Traditional SOC audits typically include three reports for different distribution purposes, the SOC 1, the SOC 2 and the SOC 3. However, reporting on an entity’s cybersecurity risk management program and controls requires a separate SOC for Cybersecurity report. SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. When someone requests a SOC for Cyber audit, a cybersecurity compliance examination engagement is performed by certified CPAs. In this examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
A List of SOC for Cybersecurity FAQs
Who can perform a cybersecurity risk management examination?
An AICPA certified CPA (referred to as a practitioner in an attestation engagement) performs and reports on the cybersecurity compliance program in accordance with the Statements on Standards laid out in the Attestation Engagement.
What are the key components of a SOC for Cybersecurity report?
A cybersecurity risk management examination results in the issuance of a SOC for Cybersecurity Report that is considered a general use report that includes the following three key components:
- Management’s Description. The first component is a management-prepared, narrative description of the entity’s cybersecurity risk management program. This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.
- Management’s Assertion. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the Management’s description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity compliance program were effective to achieve the entity’s cybersecurity objectives based on the AICPA’s control criteria.
- Practitioner’s Report. The third component is a practitioner’s report, which contains a third-party evaluation and opinion.It addresses both the Management’s Description and Assertion. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Is there any restriction on the distribution of a SOC for Cybersecurity report?
Unlike SOC 1 or SOC 2 reports that have limited distribution, the SOC for Cybersecurity report is intended for broad or general distribution.
What are the different types of cybersecurity risk management examinations?
An entity may engage the practitioner to perform one of the two types of SOC for Cybersecurity audits as described below.
- Cybersecurity Risk Management Examination. This examination addresses the effectiveness of controls within the entity’s cybersecurity compliance program.
- Design-only Examination. This examination addresses only the suitability of the design of controls.
Can an organization get a SOC for Cybersecurity audit done for a business unit and not the entire organization?
Yes! An entity may engage the practitioner to examine and report on only a portion of its cybersecurity risk management program, such as one or more specific business units, segments or functions.
Who is the intended audience and what is the benefit of this examination?
A SOC for Cybersecurity report provides transparency to key elements of the entity’s cybersecurity compliance program, improves communications, and enhances confidence in the integrity of the information presented as it is performed by an independent third party assessor. The intended audience for this examination consists of:
- Board members/directors needing information about the cybersecurity risks an entity faces
- Analysts and investors needing to understand the entity’s cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and consequently, have an adverse impact on the business’s value and stock price
- Business partners may benefit from information about an entity’s cybersecurity compliance program as part of their overall risk assessment
- Some industry regulators may benefit from information about an entity’s cybersecurity risk management program to support their oversight role
What standards and framework will be used for the examination?
The SOC for Cybersecurity report is performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
How should an organization get ready for a SOC for Cybersecurity examination?
Internal CPAs can try and navigate through the AICPA SOC for Cybersecurity criteria and guidance, but that can get complicated —especially if your CPA isn’t certified. More commonly, as an organization reaches a state of readiness, they engage with an independent CPA who can perform the SOC audit and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.
Where can I find more resources and guidance regarding SOC for Cybersecurity?
More information regarding the SOC for Cybersecurity report can be found here, or on AICPA’s SOC for Cybersecurity page.
For more insight into ensuring your organization is cyber secure and has the policies and procedures in place, contact Withum’s SOC for Cybersecurity or Cybersecurity and Information Security Services team. Withum’s team has seven of the nation’s first certified in SOC for Cybersecurity by the AICPA and is well equipped to provide cyber services through its talented team of professionals experienced in a variety of cybersecurity assessment engagements.