By now, we have all heard cybersecurity events described as “when, not if” occurrences in today’s business environment. And when they occur, the impact is typically not superficial. Remember the six-day shutdown of the largest fuel pipeline in the United States, which led to shortages across the East Coast? And with the Russian invasion of Ukraine, Federal cybersecurity officials have issued warnings to American businesses about the increased potential of cyber attacks.

Cybersecurity consistently ranks among the top risks concerning business leaders. For this reason, executive management and boards are paying close attention to cybersecurity to protect their customers and their brand. In turn, customers demand an increased level of research and analysis from companies regarding cybersecurity. The American Institute of Certified Public Accountants (AICPA) notes: “Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.”

To address the market need, the AICPA created a reporting framework that businesses can use to demonstrate they have effective cyber risk management practices in place. This framework is a central component of a System and Organization Controls (SOC) for Cybersecurity report and provides transparency into how companies are managing cybersecurity risks.

What is the scope of a SOC for Cybersecurity report, and who can use it?

A SOC for Cybersecurity report can be applied to any company, regardless of size or industry, and the scope is not limited to one defined service performed by that company. The report is considered a general use report, designed for a broad range of users (compared to other SOC frameworks, which are limited to specialized audiences). The report is appropriate for those interested in understanding if a company’s risk management program is thorough and well-designed.

What are the components of a SOC report for cybersecurity?

  • Management’s Description: A narrative description prepared by company management that describes how the organization manages cybersecurity risks, key cybersecurity policies and procedures, and how it determines which systems and information are sensitive. The description provides context to understand the conclusions expressed by management in its assertion and the Certified Public Accountant (CPA) in their report.
  • Management’s Assertion: An assertion by company management on whether the controls for their cybersecurity risk management program are functional, meet cybersecurity objectives, whether the description meets description criteria and whether controls in place effectively achieve cybersecurity objectives.
  • Practitioner’s Opinion: A CPA’s opinion on whether management’s description meets the description criteria and whether the controls in place effectively achieve cybersecurity objectives.

What does a SOC report for cybersecurity not include?

A SOC report for cybersecurity does not describe the details of the controls in place, the tests of controls performed by the CPA, or the results. It validates management’s cybersecurity controls to meet the description criteria. It validates cybersecurity controls that support compliance, privacy and processing integrity. However, it does not provide an expressed opinion on compliance with laws and regulations or privacy and processing integrity criteria.

So, what are the benefits?

Managing cybersecurity risks can be challenging even with a mature cybersecurity risk management program. Having a CPA assess a company’s risk management program via a SOC report for cybersecurity can:

  • Provide leaders with essential information for decision-making.
  • Offer stakeholders more confidence that the company appropriately designed its cybersecurity risk management program.

SOC reports for cybersecurity are a complex topic for many organizations. If you have additional questions about these reports, the Moore Colson Risk Advisory and Compliance Services (RACS) Practice is here to help. Don’t hesitate to contact us for more information.

contact an expert»


Headshot of RACS Director Journet Greene Journet Greene, CISA,  is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiativesinternal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.



Contact Us

Contact Form Footer

  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • This field is for validation purposes and should be left unchanged.