This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

By Michael Cintron, CISA, and Rod Smith, CPA, CISA

Over the past couple of years, the AICPA has developed new control attestation engagements to address a growing need for assurance over certain specialized subject matter areas. An example would be AICPA’s “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” also known as SOC for Cybersecurity.

The need for new attest options is being driven by the trend of organizations placing greater reliance on third parties, which has been enabled by technology. Some factors contributing to this include the following:

• Growth of the service economy – Services tend to lend themselves to digital rendering when compared to physical products.
• Outsourcing noncore activities – This has become easier and less expensive by virtue of increased internet speed.
• Connectivity, or the internet of things – More devices use electronic data, which can be connected to and seamlessly transmitted and exchanged over the internet.
• The growth of the pay-by-the-service business model used in software-as-a-service has fostered the growth of outsourcing.

Although the number of attest engagements has changed, the AICPA’s Statement of Standards for Attestation Engagements No. 18 (SSAE 18) for control attestation engagements has implemented minimal changes. As currently written, SSAE 18 provides auditors with a lot of flexibility in terms of the available reporting options available and their uses. The standard is written in terms general enough to allow its application to a broad range of subject matter areas and industries. Over time, though, CPAs have noted greater demand for control assurance over highly specialized subject matter areas.

Cybersecurity

Assurance over an organization’s cybersecurity risk management program and controls is one of the areas for which there is both a great need and specialized requirements. In these cases, more guidance than what is provided in the SSAE is needed for the auditor to meet expectations for providing meaningful information and to ensure thorough and consistent treatment that is comparable across industries and organizations. To provide the auditor with the guidance needed for such a specialized subject matter, the AICPA publishes Audit and Assurance Guides (AAGs) provide detailed guidance over specific topics such as cybersecurity. In some cases, “Description Criteria” for the subject matter is also defined and published. Description Criteria are items that are deemed necessary and should be included and detailed in the System Description for the subject matter examined. For the SOC for Cybersecurity engagement examination, both an AAG and description criteria were published by the AICPA to support the CPA practitioner in conducting the examination.

As the growth in technology continues, one of the most concerning areas for service organizations is cybersecurity risk. Given the acute demand in the market for assurance of cybersecurity, the AICPA recognizes that the market would benefit from an independent examination of a company’s cybersecurity risk management that can be performed across industries. Since cyberthreats constantly evolve, the AICPA opted for an approach that balances examining an organization’s current controls with assessing an organization’s ongoing cyber risk management program to reduce likelihood of breach as well as its ability to mitigate and recover from incidents sustained. The AICPA’s SOC for Cybersecurity guide details 19 description criteria areas relative to cybersecurity, covering the nature of business and operations, information at risk, risk management objectives, factors having a significant effect on inherent risk, the risk governance structure, the risk assessment process, communications and quality of information, monitoring of the risk management program, and the control process.

SOC for Cybersecurity

The value proposition of SOC for Cybersecurity is based on the idea that organizations will experience increasing pressure to demonstrate a sound cybersecurity risk management program and controls, and to provide assurance on their cybersecurity posture to various interested parties. The new SOC is the only alternative that provides assurance over cybersecurity that is objective, comprehensive, and understandable to non-technical parties and which also provides a consistent and transparent framework and reporting format for organizations. As such, the expectation is that that SOC for Cybersecurity will become the de facto reporting standard for cybersecurity.

To date, the adoption of the SOC for Cybersecurity has been relatively slow. The new engagement guide has been available for three years, and few organizations have yet to issue this SOC examination report. Some factors contributing to this includes the following:

• Cost – The scope for the SOC exam is broad, and the fees for the exam reflect this scope.
• Risk – Organizations are reluctant, as it is a stringent examination from which they could receive a qualified (or even adverse) opinion.
• Timeline – Most organizations will want to undergo a readiness evaluation before doing the examination. This process can take a long time, as the organization will generally want to remediate any deviations noted by the team before starting an examination.

Still, the potential for SOC for Cybersecurity engagements is great. Once a few market leaders begin to issue these reports, peers and competitors will feel pressure to issue their own report. While this new service is expensive and involves some risk, early adopters should enjoy advantages over their competitors in terms of enhancing their organization’s brand and reputation. Investors, customers, and other business partners will undoubtedly react favorably to the first to market in providing assurance over their organization’s cybersecurity risk management program and controls.

Michael Cintron, CISA, is a senior manager, assurance and technology control services, at EisnerAmper LLP in Philadelphia. He can be reached at michael.cintron@eisneramper.com.

Rod Smith, CPA, CISA, is partner, assurance and technology control services at EisnerAmper LLP in Philadelphia. He can be reached at rod.smith@eisneramper.com.

Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.