Security efforts continue to change as industries evolve introducing new procedures, processes, and tools. To mitigate these new challenges, governing bodies continue to release new standards and guides to help organizations validate specific controls.
As the number of audit options increase, understanding the capabilities and functions are critical. It’s important to understand that each examination is different and should not be used to replace one another, but should be used together in a unified approach.
In addition to existing SOC audits, the AICPA released a new examination, SOC for Cybersecurity in response to the increased cybersecurity risk and vulnerabilities. This new audit is different from SOC 2 in three main ways: purpose, criteria, and assessment reports. Therefore, these assessments can be used in conjunction for a holistic engagement based on prescriptive needs. Before you choose your auditing options it’s imperative to understand their functions.
For organizations, SOC 2 audits are extremely common. The purpose of this assessment is to provide system users detailed information on all security controls. The examination is based on one or more of the five Trust Services Principles (TSPs). The report generated from this assessment provides client assurance by demonstrating the effectiveness of the organization’s internal controls.
SOC for Cybersecurity
The new audit, SOC for Cybersecurity, assesses an organization’s cybersecurity risk management program and the controls based on cybersecurity objectives defined by entity management. The assessment report offers intended users, relevant to cybersecurity, in-depth information to better understand security efforts. By completing this examination, organizations can communicate the risk management strategy they have in place to effectively manage cybersecurity threats.
Organizations can reap the benefits of both audits by combining them in a configurable assessment based on prescriptive needs. The main difference between the two assessments is the focus of the type of security. SOC 2 primarily focuses on general information security regardless of the realm in which it’s located. SOC for Cybersecurity, on the other hand, is more granular, focusing on the protection of electronic information residing in the cyber realm.
By adding the SOC for Cybersecurity to a SOC 2 audit, organizations can receive a more comprehensive assessment. Since SOC 2 performs testing of controls per pre-defined criteria, adding SOC for Cybersecurity will add additional attestation on an organization’s risk assessments for threats in the cyber realm that are not necessarily covered in a typical SOC 2 audit. This results in providing a more detailed evaluation of an organization’s overall security effectiveness.
Same AICPA Standards
Since the AICPA created both types of assessments, both are conducted using the same professional standards: AT-C section 105 and 205. Thus, adding SOC for Cybersecurity to a SOC 2 examination is not difficult as practitioners do not have to evaluate an organization’s controls against multiple standards during the audit. This results in a streamlined engagement process for the organization.
Although both audits are conducted under the same standards, their AICPA implementation guidance are not. This means that practitioners report the two examinations differently.
Given that SOC 2 reports are restricted use reports, adding a SOC for Cybersecurity report, which is considered a general use report appropriate for distribution, can help communicate general security and cybersecurity risk management efforts to a larger audience, including regulators, vendors, business partners and more.
Determining Your Audit Combination
Although there is a myriad of benefits to adding SOC for Cybersecurity to a SOC 2 audit, there are also many other configurable and valuable audit options. Not all compliance and security solutions are the same, therefore it’s important to find the one that best suits your organization’s unique auditing needs.
As a licensed CPA firm, A-LIGN can conduct both audits for your company. Our primary focus is to select the right audit that meets your needs. For more information regarding SOC 2 and SOC for Cybersecurity, contact us at firstname.lastname@example.org or call 1-888-702-5446 to have an experienced assessor answer your security and compliance questions.