This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?
The adoption of the SOC for Cybersecurity has been relatively slow. AICPA's engagement guide has been available for three years, but few organizations have yet to issue this SOC examination report. Still, the potential for SOC for Cybersecurity engagements is great.
By Michael Cintron, CISA, and Rod Smith, CPA, CISA
Over the past couple of years, the AICPA has developed new control attestation engagements to address a growing need for assurance over certain specialized subject matter areas. An example would be AICPA’s “Reporting on an Entity’s Cybersecurity Risk Management Program and Controls,” also known as SOC for Cybersecurity.
The need for new attest options is being driven by the trend of organizations placing greater reliance on third parties, which has been enabled by technology. Some factors contributing to this include the following:
Although the number of attest engagements has changed, the AICPA’s Statement of Standards for Attestation Engagements No. 18 (SSAE 18) for control attestation engagements has implemented minimal changes. As currently written, SSAE 18 provides auditors with a lot of flexibility in terms of the available reporting options available and their uses. The standard is written in terms general enough to allow its application to a broad range of subject matter areas and industries. Over time, though, CPAs have noted greater demand for control assurance over highly specialized subject matter areas.
Assurance over an organization’s cybersecurity risk management program and controls is one of the areas for which there is both a great need and specialized requirements. In these cases, more guidance than what is provided in the SSAE is needed for the auditor to meet expectations for providing meaningful information and to ensure thorough and consistent treatment that is comparable across industries and organizations. To provide the auditor with the guidance needed for such a specialized subject matter, the AICPA publishes Audit and Assurance Guides (AAGs) provide detailed guidance over specific topics such as cybersecurity. In some cases, “Description Criteria” for the subject matter is also defined and published. Description Criteria are items that are deemed necessary and should be included and detailed in the System Description for the subject matter examined. For the SOC for Cybersecurity engagement examination, both an AAG and description criteria were published by the AICPA to support the CPA practitioner in conducting the examination.
As the growth in technology continues, one of the most concerning areas for service organizations is cybersecurity risk. Given the acute demand in the market for assurance of cybersecurity, the AICPA recognizes that the market would benefit from an independent examination of a company’s cybersecurity risk management that can be performed across industries. Since cyberthreats constantly evolve, the AICPA opted for an approach that balances examining an organization’s current controls with assessing an organization’s ongoing cyber risk management program to reduce likelihood of breach as well as its ability to mitigate and recover from incidents sustained. The AICPA’s SOC for Cybersecurity guide details 19 description criteria areas relative to cybersecurity, covering the nature of business and operations, information at risk, risk management objectives, factors having a significant effect on inherent risk, the risk governance structure, the risk assessment process, communications and quality of information, monitoring of the risk management program, and the control process.
The value proposition of SOC for Cybersecurity is based on the idea that organizations will experience increasing pressure to demonstrate a sound cybersecurity risk management program and controls, and to provide assurance on their cybersecurity posture to various interested parties. The new SOC is the only alternative that provides assurance over cybersecurity that is objective, comprehensive, and understandable to non-technical parties and which also provides a consistent and transparent framework and reporting format for organizations. As such, the expectation is that that SOC for Cybersecurity will become the de facto reporting standard for cybersecurity.
To date, the adoption of the SOC for Cybersecurity has been relatively slow. The new engagement guide has been available for three years, and few organizations have yet to issue this SOC examination report. Some factors contributing to this includes the following:
Still, the potential for SOC for Cybersecurity engagements is great. Once a few market leaders begin to issue these reports, peers and competitors will feel pressure to issue their own report. While this new service is expensive and involves some risk, early adopters should enjoy advantages over their competitors in terms of enhancing their organization’s brand and reputation. Investors, customers, and other business partners will undoubtedly react favorably to the first to market in providing assurance over their organization’s cybersecurity risk management program and controls.
Michael Cintron, CISA, is a senior manager, assurance and technology control services, at EisnerAmper LLP in Philadelphia. He can be reached at michael.cintron@eisneramper.com.
Rod Smith, CPA, CISA, is partner, assurance and technology control services at EisnerAmper LLP in Philadelphia. He can be reached at rod.smith@eisneramper.com.
Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.