SSAE 18 Audits | System and Organization Controls (SOC)

Previously SSAE-16

Home ssae-18 System and Organization Controls (SOC) for Cybersecurity
System and Organization Controls (SOC) for Cybersecurity

By

System and Organization Controls (SOC) for Cybersecurity

The AICPA has recently announced a new cyber security attestation in April 2017.

Subject matter of the cybersecurity examination will include:

  • A description of the entity’s cybersecurity risk management program in accordance with the description criteria
  • An assessment of the design and/or effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria

The AICPA States the following:

  • SOC for cybersecurity is an examination engagement performed in accordance with the AICPA’s clarified attestation standards on an entity’s cybersecurity risk management program.
  • Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.
  • To address this market need, the AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program.  This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts. SOC 1 focuses on matters relevant to user entities’ internal control over financial reporting.

Source: www.aicpa.org

This new examination is expected to be very expensive and more difficult for demonstrating compliance when compared to other SOC reports. It will required that the scope of the report will be over the entire entity and cannot be discrete business units. Additionally, the price may be closed to that of a company’s financial statement audit.

As this is a relatively new attestation, it is expected that most companies will go through readiness assessments during 2018.