SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities

Posted on 11.02.17

SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities

By Christopher Moschella, CPA, CISA | Risk Advisory Services Senior Manager | Cybersecurity Team Leader

Business leaders, executives, and directors are understandably uneasy about the state of cybersecurity in their companies. Each week, another company’s good name is dragged through mud by the press on news of a cyberattack. Not only do these organizations spend a great deal of hard-earned money responding to the breach, but the long-term impact of brand damage and lost customers is where most companies feel the biggest hurt.

These cases and the many others we hear about each week are forcing organizational leaders to the conclusion that they must do more to demonstrate that the organization as a whole and they as individuals are doing enough to guard against the cyber threat.

To do more, they first need a clear understanding of what cyber defenses are in place today and how well they function. But what can and should they do?

The AICPA has an answer.

Recently published and apparently sparing no words in the title, the AICPA’s “Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program,” outlines a standard format for organizations to document and communicate information about their cyber defenses to leaders and other stakeholders.

The Description Criteria’s standardized format is intended to ease the burden on boards and leaders who may need to review a variety of these cybersecurity risk management program descriptions. If they all look the same, they will be easier to parse. Additionally, the standardized format will allow CPA firms with cybersecurity expertise to efficiently assist management in preparing these descriptions while not re-inventing the wheel with each new engagement.

The AICPA recognizes that cybersecurity frameworks, such as the NIST Cybersecurity Framework and CIS Top 20 Controls for Cyber Defense, have proliferated. Different organizations and different industries may use different cybersecurity frameworks to guide their cyber risk management programs. As a result, the AICPA’s new guidance is framework agnostic.  It allows organizations to use any framework that is “suitable and available” when describing their cybersecurity risk management program.

Some stakeholders, internal or external, may require additional assurances, beyond the description provided by management, that an independent party has evaluated the cybersecurity risk management program.  Again, the AICPA has provided guidance that is not dissimilar from the System and Organization Controls (SOC)[1] audits that CPAs have been performing in some form for decades. Like the popular SOC 1 and SOC 2, this new examination level report is called the SOC for Cybersecurity. Like its siblings, it requires a management assertion that the internal controls within the cybersecurity risk management program are operating effectively.  The auditor then tests those controls and issues an opinion covering two areas:
 

  1. That management’s description is presented in accordance with the AICPA’s description criteria
  2. That the controls within the risk management program were effective enough to achieve management’s cybersecurity risk management goals

The AICPA has invested heavily in creating the truly forward-thinking Description Criteria and associated assurance products.  They recognize that full-service accounting firms have been deeply involved with organizational information technology controls since Sarbanes-Oxley, and that the firms with a strong IT and cyber skillset are well-equipped to meet many of their clients’ cybersecurity needs.  As the cyber threat grows, organizational leaders, officers, and directors will be expected to have taken an active role in the cybersecurity of the organizations they control, and the new products developed by the AICPA appear to be an excellent step towards meeting those expectations.


Our Risk Advisory Services practice is designed to assist companies with the identification of risks that have a significant impact on their business including financial, operational and compliance risks, and with developing sound, cost effective controls to mitigate those risks. We provide integrated services, including SOC audits and cybersecurity services that help public and private companies to identify and manage their risks. Contact us. Our Risk Advisory Services team can help. 

Addtional Cybersecurity information and resources

Keiter Blog
Infosecstack


[1] The AICPA recently changed the SOC acronym. It used to stand for Service Organization Control.  Today it stands for System and Organization Controls.

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Posted by: Christopher Moschella, CPA, CISA

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog