Select Page

SOC For Cybersecurity

Cybersecurity threats are on the rise, challenging organizations of all sizes—whether public or private !

Boards of directors, managers, investors, customers and other stakeholders are pressuring organizations to demonstrate that they are managing cybersecurity threats, and that they have put into place effective cybersecurity risk management programs to prevent, detect and respond to security breaches and other security events.

The AICPA has introduced a Cybersecurity Risk Management Reporting Framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The Reporting Framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.

 

What is a Cybersecurity Risk Management Program?

Read more
A cybersecurity risk management program is defined as the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.

 

What are Cybersecurity Objectives?

Read more
Cybersecurity objectives are objectives established by management that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors. For example, a telecommunications entity may have a cybersecurity objective related to the reliable functioning of those aspects of its operations that are deemed to be critical infrastructure, whereas an entity that promotes online dating is likely to regard the confidentiality of personal information collected from its customers as a critical factor towards the achievement of its operating objectives.

 

SOC for Cybersecurity Engagement Overview

SOC for cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program. The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls, provides guidance for practitioners engaged to examine and report on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users. The cybersecurity risk management examination report includes the following three key components:

In a cybersecurity risk management examination, the practitioner opines on: (a) management’s description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a general use cybersecurity report designed to meet the needs of a variety of potential users. The cybersecurity risk management examination report includes the following three key components:

  • Management’s description of the entity’s cybersecurity risk management program.
  • Management’s assertion.
  • Practitioner’s report.

 

Who are Potential Users and what are the Benefits?

Senior Management, Board of Directors, Analysts and Investors, and Business Partners are all potential users of a cybersecurity risk management examination.

A cybersecurity risk management examination report provides:

  • Senior management with information about the effectiveness of an organization’s cybersecurity risk management program.
  • Board members with information about the cybersecurity risks the entity faces and the program that management has implemented to help them fulfill its oversight responsibilities.
  • Analysts and investors with information intended to help them understand the cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the entity’s value and stock price.
  • Business partners information about the entity’s cybersecurity risk management program as part of their overall risk assessment.

 

Why Moore Colson?

Moore Colson has the knowledge, experience and the depth to help you accomplish your goals.  Given our experience in working with companies under similar engagement parameters, we are confident that Moore Colson will deliver. 

Moore Colson Can Help!
Moore Colson has the knowledge, experience and the right team of advisors to assist your company with:

  • Readiness Services: Moore Colson can use the SOC for Cybersecurity criteria and guidance to assist you with implementing or strengthening your cybersecurity risk management programs.
  • Attestation Services: Moore Colson can offer a cybersecurity risk management examination engagement and provide an opinion on the entity’s description of its efforts, and the effectiveness of its controls.

    Watch our story

Click to play

Talk to an expert

Click on the screen-shot-2016-10-18-at-5-04-28-pm icon to view a full bio.

Michael Hammond
Partner
Michael HammondPartner
Bret Roy
Partner
Bret RoyPartner
Patrick Daniel
Director
Patrick DanielDirector

  Contact Us