Guidance outlines key distinctions between two SOC examination types; enables organizations to select the appropriate examination to meet stakeholder needs
To provide further clarity and insight into SOC for Cybersecurity examinations, the American Institute of Certified Public Accountants (AICPA) published its whitepaper on the key distinctions between SOC for Cybersecurity and SOC 2 examinations in January 2018. The guidance provides context on the need for a cybersecurity-focused examination, as well as summarizes and compares key components of SOC for Cybersecurity and SOC 2. Organizations can use the guidance to determine which examination best addresses the risk management and compliance needs of their management, customers and stakeholders.
Cyber assurance: why the AICPA developed SOC for Cybersecurity
With data breaches and other cybercrimes almost daily in the news and the associated costs of compromise rising, cybersecurity risk management has become a top priority for management and for organizations’ boards, customers, investors, analysts and other business partners or third-party entities. In a recent report from CSO magazine, cyber crime damage costs are projected to reach $6 trillion annually by 2021.
Historically, organizations attempted to evaluate and address cybersecurity concerns by engaging the services of cybersecurity consultants to supplement their own workforces. A SOC for Cybersecurity examination enables an organization to evaluate and verify the level of effectiveness in its cybersecurity risk management program and communicate this information to stakeholders, coupled with the credibility associated with an objective assurance examination conducted by an independent CPA firm. The SOC for Cybersecurity examination can also be used to improve the organization’s cybersecurity preparedness, controls and processes, strengthening its risk profile overall.
Common ground: similarities between the two examinations
The AICPA guidance expands on what a SOC for Cybersecurity examination entails. Similar to a SOC 2, a SOC for Cybersecurity examination and the resulting CPA’s opinion are focused on two aspects:
Common examination elements between SOC for Cybersecurity and SOC 2
|Internal control evaluation|
Both SOC for Cybersecurity and SOC 2 examinations have the flexibility to be scoped at different levels (e.g., one or more business units, services or products); the appropriate level can be determined by an organization based on its reporting needs.
There are also similarities between the two SOC report deliverables; both include:
- The independent auditor’s opinion on the description and controls
- Management’s assertion related to the description and controls
- Management’s description of the scope of the examination and relevant control practices
SOC for Cybersecurity: a comparison to SOC 2
The AICPA guidance helps organizations better understand the scope, approach and deliverables for the SOC for Cybersecurity examination through a direct comparison to the SOC 2 examination. Organizations may determine it is appropriate to complete either a SOC for Cybersecurity examination or a SOC 2 examination – or may opt to do both in order to address different report user needs.
Within the following table is a summary of the key distinctions between the two examination options.
SOC for Cybersecurity
Focuses on an organization’s cybersecurity risk management program – an enterprise-wide examination
The following nine program components must be addressed:
Focuses on a service organization’s system related to the services it provides to customers – a specific examination relating to the systems and data involved in those services
The following five system components must be addressed:
TSP section 100, 2017 Trust Services Criteria may be used – If selected as the control criteria, organizations must address criteria for the Security, Availability and Confidentiality principles.Other industry frameworks (e.g., NIST cybersecurity) meeting the AICPA’s definition of ‘suitable criteria’ may also be used.
TSP section 100, 2017 Trust Services Criteria – Service organizations can select one or more of the following principles: Security, Availability, Confidentiality, Processing Integrity and/or Privacy.
Organization’s stakeholders (e.g., management, directors, investors, analysts, business partners)
Management, auditors, regulators or business partners of current or prospective customers
Connect with us.
For more information, contact Baker Tilly’s Cybersecurity & IT Risk practice. You can also download our ebook “Roadmap to Building a Sustainable Cybersecurity Management Program” or learn more about our cybersecurity services.