The American Institute of Certified Public Accountants (AICPA) finalized the guidance for Systems and Organization Controls (SOC) for Cybersecurity reporting this week. This guidance gives organizations guidelines on how to create and document their cybersecurity risk management program, as well as provides standards for public accounting firms to report on such programs. In other words, this provides clear guidance for CPAs to provide assurance on cybersecurity.
There are a number of cybersecurity frameworks but none of them were specifically designed to prepare a description of an organization’s cybersecurity risk management program such as those required by the proposed standards. The AICPA’s SOC for Cybersecurity criteria are primarily based on the Internal Control – Integrated Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), most recently revised in 2013. You can learn more about this in my last blog post on this topic.
With the AICPA releasing this information this week, we've had numerous questions from clients on these examinations, how they work, and who they benefit most.
How is the SOC for Cybersecurity performed?
A SOC for Cybersecurity examination is performed in accordance with the AICPA Statements on Standards for Attestation Engagements. If your organization has ever had a SOC 2 report engagement performed, a cybersecurity examination will follow many of the same principles. Even if your organization hasn’t had a SOC 2 examination performed, you may be able to request one from a vendor. Payroll is one of the most commonly outsourced functions, so your organization may have a copy of your payroll vendor’s SOC 2 report available.
What is the format of the SOC for Cybersecurity report?
The examination using the AICPA guidance will result in a report on an organization’s cybersecurity risk management program. This SOC for Cybersecurity report is a general use report that will meet the needs of a variety of stakeholders. The report format may vary by practitioner and organization, but contains three main sections:
Management’s description of the entity’s cybersecurity risk management program: Contains an organization prepared detailed description and narrative of their cybersecurity risk management program.
Management’s assertion: The organization’s assertion whether the described cybersecurity risk management program is in accordance with SOC for Cybersecurity criteria, and whether the controls of the program were effective in meeting the organization’s cybersecurity objectives. The assertion can be for a single point in time, or a specified period of time (typically one year
Practitioner’s report: The opinion of the CPA firm or practitioner on whether management’s description of their cybersecurity program aligns with the SOC for Cybersecurity criteria, as well as whether the controls of the program were effective to meet the organization’s cybersecurity objectives.
What type of organization is a SOC for Cybersecurity examination appropriate for?
The SOC for Cybersecurity examination and report is appropriate for a wide range of organizations. Entities that do not provide services that would be typically covered by an SSAE 18 SOC 1 or SOC 2 report are now able to provide independent confirmation of their cybersecurity practices to their customers. For those organizations that already have SOC 1 or SOC 2 examinations, the SOC for Cybersecurity report can provide additional specific assurance. Like SOC 1 and SOC 2 examinations, the AICPA requires SOC for Cybersecurity examinations be performed by a CPA firm or practitioner.
For weekly insights into cyber assurance please sign up here: