Over the past 3 months, we have published a series of articles intended to provide a foundational understanding of a SOC for Cybersecurity audit. We focused on the nature of the engagement; the importance of a SOC for Cybersecurity audit for a variety of organizations; and we compared a SOC for Cybersecurity audit to existing SOC 1, SOC 2, and SOC 3 audits. We also presented a webinar focused on SOC for Cybersecurity, which recapped many of the ideas presented in the first few articles. In our final piece in the series, we will be summarizing some key aspects of a SOC for Cybersecurity audit and discussing the process an organization can expect if they choose to have a SOC for Cybersecurity engagement performed. Let’s start off first by taking a quick recap of what we have learned so far.
SOC for Cybersecurity Summary
In our first article, we reviewed the background and nature of a SOC for Cybersecurity audit. The AICPA introduced SOC for Cybersecurity in early 2018 with the intent to build on the existing SOC 1, SOC 2, and SOC 3 examinations previously established for Service Organizations. A SOC for Cybersecurity is an audit over an organization’s cybersecurity risk management program, and it allows the users of the organization’s SOC for Cybersecurity report to understand the processes, policies, and controls in place to mitigate and prevent cybersecurity attacks from occurring.
In our second article, we focused on the benefits of a SOC for Cybersecurity, noting that it provides simple and clear communication of the effectiveness of the organization’s cybersecurity risk management program to the organization’s board of directors, investors, or anyone involved with the operations of the organization. This simple and clear communication provides these users an understanding of the organization’s controls in place surrounding cybersecurity and the effectiveness of such programs.
In our third article, we covered some of the key differences between a SOC for Cybersecurity and the SOC 1, SOC 2, and SOC 3 engagements. A SOC for Cybersecurity is for general use and reaches a broader audience (internal and external) than a SOC 1, SOC 2, or SOC 3 engagement. This is due to the fact that a SOC for Cybersecurity is useful for and intended for any organization, not just for a service organization and its users. A SOC for Cybersecurity audit also differs from the a SOC 2 or SOC 3 in that it is an audit over the organization’s Cybersecurity Risk Management Program, as opposed to a report over the organization’s controls in relation to the AICPA’s Trust Services Criteria. This difference in what the description covers is significant to what makes a SOC for Cybersecurity useful to a broader audience of companies.
SOC for Cybersecurity Process
After you have read the articles throughout our series, you may have determined that your organization is ready for a SOC for Cybersecurity examination. If your organization believes that a SOC for Cybersecurity could be useful (and we would agree with this conclusion), the following is the SOC for Cybersecurity engagement process you can expect:
During the pre-assessment phase, your auditor will read and understand your organization’s cybersecurity risk management program. From there, the auditor will work with you to map your existing cybersecurity risk management program to specific criteria. This is where the auditor will turn into a guide and assist you in identifying any gaps within the cybersecurity risk management program documentation and suggest proper remediation in order to fill these gaps. The pre-assessment objective is to get the organization SOC for Cybersecurity ready. This phase can last a few months or can even take over a year. It all depends on how strong the organization’s cybersecurity risk management program is prior to the pre-assessment phase. Even if your organization does not have a cybersecurity risk management program in place prior to pre-assessment, your auditor will guide you in the creation of a cybersecurity risk management program tailored to your organization.
During the testing phase, your auditor will put on their “auditor hat” and perform testing over the cybersecurity risk management program that was updated during pre-assessment. This testing includes but is not limited to performing walk-throughs over cybersecurity risk management program processes, sampling, testing of operations of controls, and providing feedback of the results from the testing in the form of the auditor’s report.
Finally, the reporting phase includes a finalized SOC for Cybersecurity report. This report includes a detailed description of management’s cybersecurity risk management program; management’s assertion that their cybersecurity risk management program is in accordance with the AICPA description criteria; and the auditor’s opinion on whether the organization’s cybersecurity risk management program effectively achieved the organization’s objectives.
We believe that a SOC for Cybersecurity provides value to any organization by giving confidence that your organization has proper processes and controls in place to mitigate and prevent cybersecurity attacks. While a SOC for Cybersecurity is not designed to (and cannot) prevent the occurrence of such attacks or absolutely ensure the safety of your data, it DOES serve to provide some degree of outside comfort that you are doing the right things to reduce your risk.
Throughout these articles, I hope that you have obtained sufficient knowledge to answer the question “What is a SOC for Cybersecurity?” If your organization has considered a SOC for Cybersecurity but still has additional questions, our SOC team is available to speak with you. Thank you for your time and we are looking forward to serving your organization!
Does your organization need a SOC for Cybersecurity?
McKonly & Asbury has the experience and expertise to work with your organization to evaluate your preparedness for a SOC for Cybersecurity examination. Our goal is to work with you to evaluate your internal controls and reporting needs and then provide you with valuable recommendations to ensure your SOC for Cybersecurity examination goes smoothly.
As always, if you have any questions regarding this article or for more information about our SOC for Cybersecurity services, please contact Michael Hoffner, Partner and Leader of McKonly & Asbury’s SOC practice, at email@example.com.