1 featured image 1
Audit Insights

A Closer Look at the AICPA’S SOC for Cybersecurity

September 9, 2019

Headline-making breaches. Compromised data. Regulatory Fines.

Reputational damage.

The threat of these consequences puts organizations under intense pressure to prove they are managing cybersecurity threats effectively and are prepared to handle an incident at any moment. With new data protection regulations like the GDPR  and CCPA passing every year, data security is becoming a bigger focus for many small and mid-sized organizations, leading them to ask:

  • Do we have enough protections in place to protect our critical data and our customers’ data?
  • How can we prove that our security processes and policies are effectively managing these threats?
  • How do we demonstrate the effectiveness our cybersecurity program to executive leadership and the board?
  • How do we show our customers that we have security measures in place to protect their data?

To help answer these tough questions, the AICPA introduced the SOC for Cybersecurity, a new reporting framework for assessing an enterprise-wide cybersecurity risk management program. Delivered by an independent assessor, this examination ensures your organization has aligned with industry best practices and is able to effectively manage current and future security risks. A successful SOC for Cybersecurity examination can be shared with executive leadership, potential clients, and other stakeholders to demonstrate the effectiveness of your cybersecurity program.

The Elements of a SOC for Cybersecurity

Using the AICPA’s SOC for Cybersecurity framework, a qualified CPA firm can perform a comprehensive audit that reports on critical information regarding an organization’s cybersecurity controls and risk management efforts. In other words, this assessment is third-party validation that ensures your organization has adequate controls in place to prevent, monitor, and address top cybersecurity threats. 

A SOC for Cybersecurity assesses processes and systems stemming from relevant regulations and cybersecurity frameworks, such as:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
  • International Organization for Standardization (ISO) 27001
  • HITRUST Common Security Framework
  • NIST Special Publications 800 Series
  • COSO 2013 Framework
  • COBIT 5

A SOC for Cybersecurity examination report includes three key components:

  1. Management’s Description: A description, prepared by management, of an organization’s risk management program, using the Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Reporting Program. The description criteria typically include the nature of the business and operations, factors impacting cyber risk, risk governance and assessment processes, and monitoring efforts.
  2. Management’s Assertion: An assertion by management that states they are aware of the controls in place surrounding the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy at their organization.
  3. Practitioner’s Report: A CPA-issued opinion on whether the description and assertion management has presented are effective and achieve cybersecurity objectives. CPAs leverage the AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls for this section of the report.

The Benefits of a SOC for Cybersecurity

Having a qualified CPA firm evaluate your organization’s cybersecurity risk management program can lead to many benefits, including:

  • Obtaining verified proof that the processes, policies, controls, and technologies within your cybersecurity program are the most secure environments possible.
  • Conveying confidence to your company’s leadership, board members, business partners, and investors that your cybersecurity program is aligned with industry best practices and standards.
  • Building trust with current and prospective customers by proactively providing proof of a safe environment, even when not required. This report does not contain technical or private company information, so it can be shared with a larger audience.
  • Avoiding security incidents by detecting potential issues and gaps in controls before they cause damaging consequences.

Who Should Consider a SOC for Cybersecurity?

Organizations should consider having their SOC for Cybersecurity completed annually. Although it is not mandatory, it is an effective framework for keeping your company’s data secure and a useful communication tool in business discussions around cybersecurity. 

And, unlike SOC 1, 2, and 3, which are intended solely for service organizations, this reporting option is designed for any organization looking for assurance regarding their cybersecurity controls.  So, whether your organization has an in-depth cybersecurity risk management program, or limited controls in place, this assessment may be for you.

If you’re interested in learning how a SOC for Cybersecurity can benefit your organization, Focal Point is here to help.

Contact Us


Want more risk management insights?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.