SOC for Cybersecurity: Comparison of Cybersecurity SOC to Other SOCs

In the last article of our SOC for Cybersecurity series, we discussed the benefit of a SOC for Cybersecurity audit for any organization. In this article, we will continue our focus on SOC for Cybersecurity by exploring how it compares to the other SOC reports and discuss why a SOC for Cybersecurity might be a better fit for your organization over a traditional SOC 1, 2, or 3 report. Before we dive into our comparison of SOC reports to a SOC for Cybersecurity, it’s important to recap each of the different SOC reports available to organizations.

What are the different types of SOC reports?

As you may already know from reading our latest article “SOC Reports and Your Service Organization’s Questions”, there are a few different SOC Reports that are available to an organization.

• SOC 1 Reports: Primarily focus on a service organization’s controls that are relevant to the user entity’s financial reporting, addressing the control objectives defined by the service organization as most significant to its users.
• SOC 2 Reports: Address a service organization’s controls over the system the service organization is providing to its user entities, addressing controls in place to meet the AICPAs Trust Services Criteria.
• Type I and Type II Reports: SOC 1 and SOC 2 Reports can further be broken down into a Type I or a Type II report. A Type I report focuses on the suitability and the design of the service organization’s controls at a point in time. A Type II is similar to a Type I but also includes an auditor’s opinion of the operating effectiveness of the controls within the service organization over a period of time.
• SOC 3 Reports: A condensed SOC 2 report containing an auditor’s opinion and intended for general use.

What are the differences between a SOC 2 and a SOC for Cybersecurity?

While there are clear and obvious differences between a SOC 1 and a SOC for Cybersecurity engagement, those distinctions are a little less apparent and obvious in comparing a SOC 2 and a SOC for Cybersecurity. However, even though these reports seem similar, there are a variety of differences between a SOC 2 report and a SOC for Cybersecurity.

As you review each of the types of SOC reports above, you will notice there are two words that stick out in each of the descriptions. Those two words are service organizations. SOC 2 reports are intended for service organizations and the user entities of the service organization. These reports provide user entities of the service organization comfort that the controls of the service organization’s system are designed (Type I) and operating effectively (Type II). This is the first major difference between the SOC reports and the SOC for Cybersecurity report. As previously discussed in our previous article, SOC for Cybersecurity audits are for any organization across all industries. Your organization does not have to be a “service organization” in order to have a SOC for Cybersecurity audit performed. A SOC for Cybersecurity is a great tool for ANY organization to provide general users of the entity with a description of the entity’s cyber security risk management program.

Further to the above discussion on what type of entity is a candidate for each type of SOC engagement, another significant difference between a SOC 2 and a SOC for Cybersecurity is who the intended end users of the final report are. SOC 2 reports are intended to be distributed to specified user entities of the service organization’s system and are for those users that have some prior knowledge of the service organization’s system and what it is used for. In fact, the SOC 2 report specifically states that the final report is meant for use only by specified user entities. A SOC for Cybersecurity, on the other hand, is intended to be distributed to general users of the organization. These general users can include, but are not limited to, management of the organization, board of directors of the organization, investors of the organization, and any other individual that is relevant to the organization’s operations. As you can see, the SOC for Cybersecurity report is intended for a broad audience and applicable to a wide range of organizations.

Another major difference between a SOC 2 and a SOC for Cybersecurity is the subject matter of the report. SOC 2 reports include a description of the system of the service organization and addresses the organization’s controls surrounding the AICPA’s Trust Services Criteria. The SOC 2 focuses on the controls surrounding the system that the service organization provides to its end users and how that system is designed in context of the Security, Availability, Confidentiality, Processing Integrity, or Privacy principals. This is predominately the reason why SOC 2 reports are intended just for the user entities of the service organization’s system – to be relevant and understood, the reader must understand the context of the system it is reporting on. A SOC for Cybersecurity, on the other hand, includes a description of the cybersecurity risk management program of the entity. This report dives deep in the cybersecurity risk management program’s processes, policies, and controls implemented to protect the organization from cyber-attacks and cyber threats – it can be understood by any reader and is not dependent on having a prior understanding of the services the organization provides.

The final major difference we will discuss in this article between a SOC 2 and a SOC for Cybersecurity is the subject matter of the report. A SOC 2 report concludes on whether the description included within the service organization is presented in accordance with the AICPA trust services criteria. A SOC for Cybersecurity report, on the other hand, includes the description of the entity’s cyber risk management program and the controls designed to meet cybersecurity objectives. The SOC for Cybersecurity also includes the results of the audit testing with the auditor providing an opinion on whether the controls in place within the organization effectively achieve the objectives within the entity’s cybersecurity risk management program. It’s important to note that an organization can elect a Type 1 report over Cybersecurity much the same as a SOC 1 or SOC 2 – in other words, an organization can engage a CPA firm to provide an opinion over the design of the controls only and perform a Type 2 (test of operating effectiveness) at a future date if desired.

Even though there are similarities between a standard SOC audit and a SOC for Cybersecurity, the key difference is that a SOC for Cybersecurity is for any organization with the intention to distribute the report to any user of the entity (management, board of directors, investors, etc.). A SOC for Cybersecurity provides the entity with insight into their effectiveness of their cybersecurity risk management program.

Does your organization need a SOC for Cybersecurity?

McKonly & Asbury has the experience and expertise to work with your organization to evaluate your preparedness for a SOC for Cybersecurity examination. Our goal is to work with you to evaluate your internal controls and reporting needs and then provide you with valuable recommendations to ensure your SOC for Cybersecurity examination goes smoothly.

In our final article, we will summarize our knowledge of a SOC for Cybersecurity. As always, if you have any questions regarding this article or for more information about our SOC for Cybersecurity services, please contact Michael Hoffner, Partner and Leader of McKonly & Asbury’s SOC practice, at mhoffner@macpas.com.