Newest Addition to the SOC Suite
The AICPA recently added a new offering to its SOC suite: SOC for Cybersecurity. The difference between SOC 1, SOC 2, and SOC 3 has always been fairly clear-cut based on factors like internal control over financial reporting, the Trust Services Criteria, and restricted report use. Now, we have a new player in the game.
What’s the Difference Between SOC for Cybersecurity and SOC 2?
How does SOC for Cybersecurity differ from the other SOC reports? Where a SOC 1 is focused on ICFR and is based on the SSAE 18 standard, SOC for Cybersecurity is completely concentrated on cybersecurity risk management programs. SOC 2 is where it goes a little more complicated. In general, SOC for Cybersecurity and SOC 2 engagements have four key differences: purpose and use, audience, report types, and subject matter.
SOC 2 audits help to address any third-party risk concerns by evaluating internal controls, policies, and procedures as they relate to the security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems. SOC 2 compliance is intended to give a wide range of service organizations the information security assurance that they need to address security.
A SOC for Cybersecurity examination is how a CPA can report on an organization’s cybersecurity risk management program. This program is an organization’s set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives. The AICPA’s intent was to provide organizations with a consistent language to report on their cybersecurity efforts and establish a widely-accepted approach for cybersecurity assessments.
Purpose and Use
A SOC for Cybersecurity report communicates information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users perspective and confidence in an organization’s cybersecurity risk management program. SOC for Cybersecurity reports are meant to be used during decision-making processes.
SOC 2 compliance can be a major factor in vendor management; no one wants to work with an at-risk vendor. For service organizations wanting to demonstrate their due diligence and information security efforts, a SOC 2 report will communicate how their internal controls are designed and operating.
SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates. A SOC for Cybersecurity report is for general use, specifically designed to be used by stakeholders, management, directors, analysts, investors, business partners, industry regulators, users, or anyone else whose decisions are directly impacted by the effectiveness of the organization’s cybersecurity controls.
A SOC 2 report is intended for an audience who has prior knowledge and understanding of the system, such as management of a service organization or user entity. In order to communicate the attestation in a SOC 2 report, service organizations must have a SOC 3 report. A SOC 3 does not give a description of the service organization’s system, but can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as they relate to the Trust Services Criteria.
When undergoing a SOC 2 audit, a service organization can choose one of two types. Typically, we recommend that service organizations begin with a SOC 2 Type I. A Type I report is an attestation of controls at a service organization at a specific point in time, unlike a Type II, which is an attestation of controls over period of time. In a Type I, there is no testing of controls, but in a Type II, the auditor will report on the “suitability of the design and operating effectiveness of controls.”
Similar to a SOC 2 Type I, service organizations can choose a design-only SOC for Cybersecurity examination. Design-only examinations do not provide the audience with enough information to assess the effectiveness of cybersecurity controls, only to know the description of the cybersecurity risk management program and the suitability of the design of controls to meet cybersecurity objectives. A service organization may choose to undergo a design-only SOC for Cybersecurity examination if they have not been in operation for a sufficient length of time or if they’ve recently made significant changes to their cybersecurity risk management program.
It’s important to note that in the future, there will be three types of SOC for Cybersecurity report levels to meet all the needs of the market: entity, service provider, and supply chain. The guidance currently available all related to entity-level engagements.
The contents of a SOC for Cybersecurity report and SOC 2 report have a similar structure, but different subject matter. Each report contains management’s description, management’s assertions, and the practitioner’s opinion. In a SOC for Cybersecurity report, each of these components will be related to the entity’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. In a SOC 2 report, each of these components will be related to the service organization’s system and the effectiveness of controls as the relate to the Trust Services Criteria.
The main difference to remember between SOC for Cybersecurity and SOC 2 is the reporting on a cybersecurity risk management program versus a system and the Trust Services Criteria. Want more help deciding if a SOC for Cybersecurity engagement is right for your organization? Contact us today.