One of the biggest concerns for organizations in today’s business environment is cybersecurity. Cybersecurity in its most basic form is the protection of electronic data from unauthorized or criminal access and use. As businesses capture more and more data, both internally in relation to the operations of the company and externally in relation to the needs of their consumer base, the protection of electronic data from cyber risk is becoming more and more paramount. No company wants their data stolen, especially sensitive data that can compromise a variety of stakeholders (like the recent Equifax and Citibank breaches).

Firms are understandably under huge amounts of pressure to provide security around electronic data, and fast. The AICPA understands the growing need for an evaluation of these systems and put together the SOC for Cybersecurity to help businesses manage their cybersecurity programs to evaluate and lessen risk. This guide will help you understand more about the SOC for Cybersecurity report, and how it will affect your career as a CPA.

This guide will help you understand more about the SOC for Cybersecurity report, and how it will affect your career as a CPA.

What is SOC for cybersecurity?

System and Organization Controls (SOC) for Cybersecurity is a framework developed by the AICPA in 2017 to help provide assurance around an organization’s cybersecurity risk management program. Previously, SOC stood for Service Organization Controls since reporting was limited to service organizations only, and the SOC 2 report communicated information about a service organization’s controls relevant to information security. The SOC 2 is a report that is still in use today.

Unlike the SOC 2, the SOC for Cybersecurity provides a framework for CPAs to review all types of organizations through system- and entity-level controls, and is more focused on cybersecurity as opposed to general information security. Basically, it’s a report that helps CPAs evaluate how a company would respond to a cybersecurity threat, and if the right cybersecurity controls are in place to mitigate risks or prevent threats.

Key components of the SOC for cybersecurity

The SOC for Cybersecurity provides information for three main groups: CPAs, users, and organizations.

For CPAs, the framework provides information key to the development of engagements related to a company’s cybersecurity risk management program. CPAs can use the SOC for Cybersecurity report to properly evaluate risks associated with an organization’s risk management program related to cybersecurity and provide information to users on how to improve their cybersecurity framework.

The SOC for Cybersecurity report provides information to users of the program on how to best develop and implement a risk management program. This helps senior management, analysts, the board of directors, and other stakeholders make decisions related to cybersecurity and how to best protect an organization’s electronic data. It also helps management ensure the entity’s cybersecurity objectives are being met through the program in place.

Organizations, in turn, can use the SOC for Cybersecurity report to help develop trust regarding their cybersecurity risk management program. It provides a framework to communicate the effectiveness of the program to employees, customers, and vendors of the organization.

The SOC for Cybersecurity is a general use report meant to be used by a wide audience to evaluate the effectiveness of the cybersecurity risk management program, and how the program affects decision making.

The AICPA’s cybersecurity risk management reporting framework

The framework developed by the AICPA provides a template for companies to report on the effectiveness of their cybersecurity risk management programs through three key areas:

1. Description criteria for management’s description of an entity’s cybersecurity risk management reporting program

This helps entities describe the risks their company faces in terms of cybersecurity and also allows them to explain the processes in place to manage those risks. The criteria put in place by the AICPA shows companies how to explain this through several key descriptors:

  • Considerations on the nature of an entity’s business and operations,
  • Factors affecting inherent cybersecurity risk,
  • Risk governance and assessment processes, and
  • Monitoring of the cybersecurity program.


2. 2017 trust services criteria for security, availability, processing integrity, confidentiality and privacy

These criteria are used by CPAs to evaluate and report on the effectiveness of controls surrounding the cybersecurity risk management program of an organization via an attestation engagement. The criteria are also used by management to ensure controls are working effectively.

3. AICPA guide reporting on an entity’s cybersecurity risk management program and controls

For CPAs engaged in attestation engagements, this is meant to provide guidance regarding how to evaluate a company’s cybersecurity risk management program through specific control criteria. Unlike the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy, which provides CPAs with information regarding how to report on a cybersecurity risk management program, the AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls helps CPAs actually evaluate the program.

CPAs and cybersecurity: Why does it matter?

Public accounting and CPA firms have been on the front line of evaluating the internal controls and financial reporting of companies through attestation and advisory engagements for decades. It’s only natural that CPAs take on the role of evaluating cybersecurity risk management programs as the business environment becomes more tech-heavy.

CPAs are in a unique position to provide attestation and advisory services to firms regarding their cybersecurity risk management programs because of their standing as elite professionals in the field of accounting. As accounting becomes more and more tech-based, CPAs have the relevant education, experience, and expertise to provide a high level of service when it comes to evaluating and managing cybersecurity. By providing SOC for Cybersecurity examinations and reports, CPAs can protect consumer data, help organizations develop better programs, and prevent cybersecurity breaches.

What you need to know

As a future CPA, it’s important you’re aware of SOC reporting and how it relates to cyber threats and security events, especially as the business environment evolves to becomes more tech-heavy. Learning about cybersecurity now and its relevance to the accounting profession will help you feel prepared going into your career as a CPA.


Just starting out as a CPA? Try studying with Surgent CPA Review for free today!

Start Now