In May of 2017, AICPA issued a new framework to its suite of System and Organization Controls Reports (SOC) to allow organizations to obtain an audit over an organization’s Cybersecurity Risk Management Program and Controls. This framework is designed to be flexible and customizable to organizations of different sizes, and borrows much of its framework from the criteria related to the security, availability, and confidentiality categories contained in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy that are utilized for a SOC 2 Examination. Below is a summary that compares the differences between a SOC 2 and a SOC for Cybersecurity Engagement as illustrated in Appendix B of AICPA’s “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls” Audit Guide published in April 2017.

SOC for Cybersecurity SOC 2
What is the purpose? To provide intended users with useful information about an entity’s cybersecurity risk management program for making informed decisions To provide a broad range of system users with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support users’ evaluations of their own systems of internal control
Who are the intended users? Management, directors, analysts, investors, and others whose decisions might be affected by the effectiveness of the entity’s cybersecurity risk management program Management of the service organization and other specified parties with sufficient knowledge and understanding of the service organization and its system
Under what professional standards and implementation guidance is the engagement performed? AT-C section 105Concepts Common to All Attestation Engagements, and AT-C section 205Examination Engagements, in AICPA Professional Standards AT-C section 105Concepts Common to All Attestation Engagements, and AT-C section 205Examination Engagements,4 in AICPA Professional Standards
Who is the responsible party? Management of an entity Management of a service organization
Is the report appropriate for general use or restricted to specified parties? Appropriate for general use Restricted to user entity personnel and specified parties, such as independent auditors and practitioners of user entities, prospective user entities, and regulators, who have sufficient knowledge and understanding of the following matters:
• The nature of the service provided by the service organization
• How the service organization’s system interacts with user entities and other parties
• Internal control and its limitations
• The nature of user entity responsibilities and their role in the user entities’ internal control as it relates to service organizations
• The nature of subservice organizations and how their services to a service organization may affect user entities
• The applicable trust services criteria
• The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks
What is the subject matter of management’s assertion and the engagement? The description of the entity’s cybersecurity risk management program based on the description criteria The description of the service organization’s system as it relates to one or more of the categories in the trust services criteria
What are the criteria for the engagement? The description criteria included in appendix C, “ Description Criteria for Use in the Cybersecurity Risk Management Examination,” of the Audit Guide, which includes the following criteria:

1. Nature of business and operations
2. Nature of information at risk
3. Cybersecurity risk management program objectives
4. Factors that have a significant effect on inherent cybersecurity risks
5. Cybersecurity risk governance structure
6. Cybersecurity risk assessment process
7. Cybersecurity communications and the quality of cybersecurity information
8. Monitoring of the Cybersecurity risk management program
9. Cybersecurity control processes

Paragraphs 1.26—1.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) contain the criteria for the description of the service organization’s system, which includes the following criteria:

  1. Types of services provided
  2. Principal service commitments and system requirements
  3. Components of the system used to provide the services, including:
    1. Infrastructure
    2. Software
    3. People
    4. Procedures
    5. Data
  4. Description of system incidents
  5. Applicable trust service criteria and applicable controls to provide reasonable assurance that service commitments and system requirements were achieved
  6. Complimentary user entity controls
  7. Complimentary subservice organization control
  8. Any specific criterion of the applicable trust services that is not relevant to the system and the reasons it is not relevant
  9. Significant changes to the service organization’s system and controls during the period.

 

What are the contents of the report? A description of the entity’s cybersecurity risk management program

A written assertion by management about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria

A practitioner’s report that contains an opinion about whether (a) the description of the entity’s cybersecurity risk management program was presented in accordance with the description criteria and (b) the controls within that program were effective in achieving the entity’s cybersecurity objectives based on the control criteria

A description of the service organization’s system

A written assertion by management of the service organization regarding the description of the service organization’s system and the suitability of the design and the operating effectiveness of the controls in meeting the applicable trust services criteria

A service auditor’s10 report that contains an opinion on the fairness of the presentation of the description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to meet the criteria

In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests

What are the different types of SOC reports? Design only – similar to a Type 1 for SOC 2 report.

 

Design and Operating effectiveness – similar to a Type 2 SOC 2 report.

Type 1 – testing of controls at a point in time.

 

Type 2 – testing of controls for a period of time.

What is the treatment of subservice organizations (SSO)? No carve-out of subservice organizations allowed. Controls of the third parties must be included within the scope of its evaluations. Can choose to include or carve-out subservice organizations.

 

SOC for Cybersecurity could be a great tool for any organization to communicate relevant and useful information regarding the effectiveness of its cybersecurity risk management program. For more information on SOC for Cybersercurity contact Larson & Company today.