Fall 2025

Cybersecurity is often thought to be the exclusive domain of information technology (IT) professionals, but CPAs possess a unique blend of analytical, ethical, and assurance-based skills that make the profession ideal for cybersecurity risk management and System and Organization Control (SOC) reporting. Furthermore, CPAs have the professional infrastructure, standards, and credibility to manage these areas. 

The scary truth is that cybersecurity is no longer just a technical issue; it’s a critical business function that touches every aspect of an organization. Traditionally overseen by IT departments, now it’s an area that demands a multidisciplinary approach. Among those stepping up are CPAs. The profession’s knowledge of internal controls and assurance makes CPAs ideal for conducting third-party cybersecurity reviews, and an ability to conduct risk assessments makes them ideally suited for SOC reporting. Recognizing this need, the AICPA in 2017 defined the term “SOC” as a suite of different types of assurance engagements that CPAs may provide to service-related organizations. The AICPA also introduced specific guidelines and frameworks to help CPAs navigate these engagements.

As cyberattacks have become more frequent and sophisticated, clients are employing accounting firms to ensure the environment and controls around their information technology, data security, and privacy are robust, particularly as more organizations outsource components of their data operations. According to CBIZ’s annual SOC Benchmark Study, total SOC reports increased 25% from 2023 to 2024.¹ CPAs possess unique competencies to handle the ever-changing cybersecurity landscape and the demand for assurance services, and as such there are numerous opportunities for CPAs looking to expand their role within the cybersecurity landscape.

Types of SOC Engagements

SOC reports have become the standard for companies to demonstrate effective internal controls in today’s business environment. Currently in the United States, only CPA firms are allowed to conduct SOC engagements. While technical knowledge is helpful in this environment, SOC reviews really demand assurance expertise, independence, and a knowledge of internal control principles. The AICPA has helped by developing designations for distinct types of SOC engagements. (See Table 1.) 

In addition, there are subtypes of the engagements in Table 1. For example, SOC 2 reports can be issued as Type 1 or Type 2 reports. Type 1 provides a system description as of a specific date (point in time), whereas Type 2 provides a system description for a period of time.

Adopted from AICPA material.

The Expanding Cybersecurity Risk Landscape

Cyberattacks were once isolated incidents, but they now pose systemic threats to national security, corporate reputations, and financial markets. This has led to a surge in demand for SOC reports – especially SOC 2, SOC for Supply Chain, and SOC for Cybersecurity – as customers and vendors seek assurance about company data handling practices. SOC engagements provide independent validation of an organization’s controls over security, availability, confidentiality, processing integrity, and privacy. As evidence of the growing need, a 2021 report issued by the AICPA indicated a nearly 50% increase in the demand for SOC engagements and a 2024 KPMG report observed a 23% jump in demand for SOC 2 reporting.²

With organizations depending on numerous providers for various aspects of their supply chain, the need for third-party assurance over the integrity of supply chain activities is critical. Since the COVID-19 pandemic, supply chain attacks aimed at “open-source projects” have increased over 430%.³ Supply chain attacks such as SolarWinds, Kaseya, and Mimecast had devastating consequences for the organizations involved, exposing critical vulnerabilities, disrupting operations, and severely damaging stakeholder trust. While organizations acknowledge the significance of establishing controls to ward off cybersecurity breaches, they often fail to effectively implement or encompass their supply chain providers.

CPAs have a long history of trust among companies and the public with sensitive financial data. Part of this legacy is due to the profession’s commitment to the highest education and licensing practices as well as its objectivity. Likewise, the AICPA’s code of professional conduct and disciplinary procedures help bolster the public’s confidence in the ethics of the accounting profession. These characteristics allow CPAs to enjoy the same trust when it comes to SOC reviews and assurance over cybersecurity.

Cybersecurity Frameworks for CPAs

Cybersecurity frameworks help organizations assess and manage risk systematically. While these frameworks are often developed by governmental or international standard-setting bodies, they align closely with concepts CPAs already understand around internal control evaluation, risk assessment, and compliance monitoring.

CPAs do not aim to replace IT professionals; rather, they hope to collaborate with them. In a SOC 2 engagement, for example, CPAs often rely on system logs and vulnerability scans provided by IT personnel and then interpret the results through the lens of controls testing, assurance, and risk communication. The IT and accounting partnership ensures that technical findings are translated into language that can be communicated to business and other professionals.

This type of scenario has created significant opportunities for CPA professionals, particularly in advisory and attestation services. As companies seek to increase their information security, CPA firms are expanding their service offerings to include SOC reviews. CPA firms are also investing in cybersecurity talent. The AICPA’s 2024 State of the Profession report noted a 38% increase in cybersecurity-related advisory engagements year-over-year, driven by growing regulatory pressure and rising client demand.

For CPAs, expanding engagement types to include cybersecurity may involve pursuing complementary certifications. There are many IT-related certifications available.⁴ Here are a few popular credentials specific to SOC engagements:

• Certified Information Systems Auditor (CISA) focuses on audit, control, and assurance of information systems. Holders are often involved in planning, executing, and reviewing SOC 1, SOC 2, and SOC 3 engagements.
• Certified in Cybersecurity (offered by ISC2) is a foundational credential suitable for those new to the field. For junior staff supporting SOC audits.
• Certified in Risk and Information Systems Control (CRISC) focuses on risk identification, assessment, and response. Highly relevant to SOC 2 engagements involving risk management and internal control evaluation.
• Certified Information Technology Professional (CITP) is offered by the AICPA to CPAs who wish to demonstrate expertise in technology and finance. Aligns well with SOC reporting and technology assurance.
• Certified Information Security Manager (CISM) is offered by ISACA to experienced professionals working in information security governance and risk management. Demonstrates understanding of enterprise-level information security controls.
• Certified Information Systems Security Professional (CISSP) is offered by ISC2 to experienced professionals working in information security operations, risk management, and access control.

The above credentials can help accountants springboard into specialized roles inside or outside the public accounting arena. For example, a CPA who earns the CISA designation may transition into a role as an IT risk adviser or internal audit director. Others can transition into consulting. These roles and functions can help clients navigate the complex regulatory environments or prepare for external assurance engagements.

Conclusion

In an era marked by rising cybersecurity threats and increasing reliance on third-party vendors, SOC reporting has become a critical tool for ensuring trust and transparency. The growing demand for SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity and SOC for Supply Chain engagements reflects the heightened expectations of stakeholders for assurance over internal controls and risk management. The many cyberattacks reported in the media should underscore the devastating consequences of weak system safeguards and reinforce the importance of independent evaluations. As advisory services in IT and cybersecurity continue to expand, CPAs have the unique skills and opportunities to provide specific assurance and attestation services. Doing so not only mitigates risk but also strengthens resilience and stakeholder confidence in today’s complex digital landscape. 

² SOC Survey Results Point to the Value of SOC 1 and 2 Engagements, AICPA & CIMA (2023); and SOC Reporting Benchmarking: Insights for Your Assurance Journey, KPMG (2024).

³ The Pervasive Influence of Open Source: Trends, Adoption, and Security Concerns, Sonatype (2023). 

⁴ Additional IT certifications offered through ISACA include Certified Data Privacy Solutions Engineer, Certified in Governance of Enterprise IT, and Certified Cybersecurity Operations Analyst.

⁵ Comparison of SOC 2, SOC for Supply Chain, and SOC for Cybersecurity Examinations and Related Reports, AICPA & CIMA. 

⁶ Ibid.

⁷ Ibid.

Cybersecurity is often thought to be the exclusive domain of information technology (IT) professionals, but CPAs possess a unique blend of analytical, ethical, and assurance-based skills that make the profession ideal for cybersecurity risk management and System and Organization Control (SOC) reporting. Furthermore, CPAs have the professional infrastructure, standards, and credibility to manage these areas. 

The scary truth is that cybersecurity is no longer just a technical issue; it’s a critical business function that touches every aspect of an organization. Traditionally overseen by IT departments, now it’s an area that demands a multidisciplinary approach. Among those stepping up are CPAs. The profession’s knowledge of internal controls and assurance makes CPAs ideal for conducting third-party cybersecurity reviews, and an ability to conduct risk assessments makes them ideally suited for SOC reporting. Recognizing this need, the AICPA in 2017 defined the term “SOC” as a suite of different types of assurance engagements that CPAs may provide to service-related organizations. The AICPA also introduced specific guidelines and frameworks to help CPAs navigate these engagements.

As cyberattacks have become more frequent and sophisticated, clients are employing accounting firms to ensure the environment and controls around their information technology, data security, and privacy are robust, particularly as more organizations outsource components of their data operations. According to CBIZ’s annual SOC Benchmark Study, total SOC reports increased 25% from 2023 to 2024.¹ CPAs possess unique competencies to handle the ever-changing cybersecurity landscape and the demand for assurance services, and as such there are numerous opportunities for CPAs looking to expand their role within the cybersecurity landscape.

Types of SOC Engagements

SOC reports have become the standard for companies to demonstrate effective internal controls in today’s business environment. Currently in the United States, only CPA firms are allowed to conduct SOC engagements. While technical knowledge is helpful in this environment, SOC reviews really demand assurance expertise, independence, and a knowledge of internal control principles. The AICPA has helped by developing designations for distinct types of SOC engagements. (See Table 1.) 

In addition, there are subtypes of the engagements in Table 1. For example, SOC 2 reports can be issued as Type 1 or Type 2 reports. Type 1 provides a system description as of a specific date (point in time), whereas Type 2 provides a system description for a period of time.

Adopted from AICPA material.

The Expanding Cybersecurity Risk Landscape

Cyberattacks were once isolated incidents, but they now pose systemic threats to national security, corporate reputations, and financial markets. This has led to a surge in demand for SOC reports – especially SOC 2, SOC for Supply Chain, and SOC for Cybersecurity – as customers and vendors seek assurance about company data handling practices. SOC engagements provide independent validation of an organization’s controls over security, availability, confidentiality, processing integrity, and privacy. As evidence of the growing need, a 2021 report issued by the AICPA indicated a nearly 50% increase in the demand for SOC engagements and a 2024 KPMG report observed a 23% jump in demand for SOC 2 reporting.²

With organizations depending on numerous providers for various aspects of their supply chain, the need for third-party assurance over the integrity of supply chain activities is critical. Since the COVID-19 pandemic, supply chain attacks aimed at “open-source projects” have increased over 430%.³ Supply chain attacks such as SolarWinds, Kaseya, and Mimecast had devastating consequences for the organizations involved, exposing critical vulnerabilities, disrupting operations, and severely damaging stakeholder trust. While organizations acknowledge the significance of establishing controls to ward off cybersecurity breaches, they often fail to effectively implement or encompass their supply chain providers.

CPAs have a long history of trust among companies and the public with sensitive financial data. Part of this legacy is due to the profession’s commitment to the highest education and licensing practices as well as its objectivity. Likewise, the AICPA’s code of professional conduct and disciplinary procedures help bolster the public’s confidence in the ethics of the accounting profession. These characteristics allow CPAs to enjoy the same trust when it comes to SOC reviews and assurance over cybersecurity.

Cybersecurity Frameworks for CPAs

Cybersecurity frameworks help organizations assess and manage risk systematically. While these frameworks are often developed by governmental or international standard-setting bodies, they align closely with concepts CPAs already understand around internal control evaluation, risk assessment, and compliance monitoring.

CPAs do not aim to replace IT professionals; rather, they hope to collaborate with them. In a SOC 2 engagement, for example, CPAs often rely on system logs and vulnerability scans provided by IT personnel and then interpret the results through the lens of controls testing, assurance, and risk communication. The IT and accounting partnership ensures that technical findings are translated into language that can be communicated to business and other professionals.

This type of scenario has created significant opportunities for CPA professionals, particularly in advisory and attestation services. As companies seek to increase their information security, CPA firms are expanding their service offerings to include SOC reviews. CPA firms are also investing in cybersecurity talent. The AICPA’s 2024 State of the Profession report noted a 38% increase in cybersecurity-related advisory engagements year-over-year, driven by growing regulatory pressure and rising client demand.

For CPAs, expanding engagement types to include cybersecurity may involve pursuing complementary certifications. There are many IT-related certifications available.⁴ Here are a few popular credentials specific to SOC engagements:

• Certified Information Systems Auditor (CISA) focuses on audit, control, and assurance of information systems. Holders are often involved in planning, executing, and reviewing SOC 1, SOC 2, and SOC 3 engagements.
• Certified in Cybersecurity (offered by ISC2) is a foundational credential suitable for those new to the field. For junior staff supporting SOC audits.
• Certified in Risk and Information Systems Control (CRISC) focuses on risk identification, assessment, and response. Highly relevant to SOC 2 engagements involving risk management and internal control evaluation.
• Certified Information Technology Professional (CITP) is offered by the AICPA to CPAs who wish to demonstrate expertise in technology and finance. Aligns well with SOC reporting and technology assurance.
• Certified Information Security Manager (CISM) is offered by ISACA to experienced professionals working in information security governance and risk management. Demonstrates understanding of enterprise-level information security controls.
• Certified Information Systems Security Professional (CISSP) is offered by ISC2 to experienced professionals working in information security operations, risk management, and access control.

The above credentials can help accountants springboard into specialized roles inside or outside the public accounting arena. For example, a CPA who earns the CISA designation may transition into a role as an IT risk adviser or internal audit director. Others can transition into consulting. These roles and functions can help clients navigate the complex regulatory environments or prepare for external assurance engagements.

Conclusion

In an era marked by rising cybersecurity threats and increasing reliance on third-party vendors, SOC reporting has become a critical tool for ensuring trust and transparency. The growing demand for SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity and SOC for Supply Chain engagements reflects the heightened expectations of stakeholders for assurance over internal controls and risk management. The many cyberattacks reported in the media should underscore the devastating consequences of weak system safeguards and reinforce the importance of independent evaluations. As advisory services in IT and cybersecurity continue to expand, CPAs have the unique skills and opportunities to provide specific assurance and attestation services. Doing so not only mitigates risk but also strengthens resilience and stakeholder confidence in today’s complex digital landscape. 

² SOC Survey Results Point to the Value of SOC 1 and 2 Engagements, AICPA & CIMA (2023); and SOC Reporting Benchmarking: Insights for Your Assurance Journey, KPMG (2024).

³ The Pervasive Influence of Open Source: Trends, Adoption, and Security Concerns, Sonatype (2023). 

⁴ Additional IT certifications offered through ISACA include Certified Data Privacy Solutions Engineer, Certified in Governance of Enterprise IT, and Certified Cybersecurity Operations Analyst.

⁵ Comparison of SOC 2, SOC for Supply Chain, and SOC for Cybersecurity Examinations and Related Reports, AICPA & CIMA. 

⁶ Ibid.

⁷ Ibid.