AICPA releases System and Organization Controls (SOC) for Cybersecurity guidance with SOC 2® comparison

AICPA releases System and Organization Controls (SOC) for Cybersecurity guidance with SOC 2® comparison

Guidance outlines key distinctions between two SOC examination types; enables organizations to select the appropriate examination to meet stakeholder needs.

To provide further clarity and insight into SOC for Cybersecurity examinations, the American Institute of Certified Public Accountants (AICPA) published its whitepaper on the key distinctions between SOC for Cybersecurity and SOC 2 examinations in January 2018. The guidance provides context on the need for a cybersecurity-focused examination, as well as summarizes and compares key components of SOC for Cybersecurity and SOC 2. Organizations can use the guidance to determine which examination best addresses the risk management and compliance needs of their management, customers and stakeholders.

Cyber assurance: why the AICPA developed SOC for Cybersecurity

With data breaches and other cybercrimes almost daily in the news and the associated costs of compromise rising, cybersecurity risk management has become a top priority for management and for organizations’ boards, customers, investors, analysts and other business partners or third-party entities. In a recent report from CSO magazine, cyber crime damage costs are projected to reach $6 trillion annually by 2021.

Historically, organizations attempted to evaluate and address cybersecurity concerns by engaging the services of cybersecurity consultants to supplement their own workforces. A SOC for Cybersecurity examination enables an organization to evaluate and verify the level of effectiveness in its cybersecurity risk management program and communicate this information to stakeholders, coupled with the credibility associated with an objective assurance examination conducted by an independent CPA firm. The SOC for Cybersecurity examination can also be used to improve the organization’s cybersecurity preparedness, controls and processes, strengthening its risk profile overall.

Common ground: similarities between the two examinations

The AICPA guidance expands on what a SOC for Cybersecurity examination entails. Similar to a SOC 2, a SOC for Cybersecurity examination and the resulting CPA’s opinion are focused on two aspects:

Common examination elements between SOC for Cybersecurity and SOC 2


System description

  • The system description is written by management to communicate the examination scope and the organization’s control practices to stakeholders.
  • The CPA firm provides an opinion on whether management’s SOC description is fairly presented (i.e., complete and accurate) and addresses the description criteria.

Internal control evaluation

  • The internal control evaluation provides reasonable assurance to stakeholders that the organization has sufficiently designed, implemented and executed controls in order to achieve the specified control criteria.
  • The CPA firm provides an opinion on whether the organization’s controls are suitably designed and operating effectively to address the control criteria.

Both SOC for Cybersecurity and SOC 2 examinations have the flexibility to be scoped at different levels (e.g., one or more business units, services or products); the appropriate level can be determined by an organization based on its reporting needs.

There are also similarities between the two SOC report deliverables; both include:

  • The independent auditor’s opinion on the description and controls
  • Management’s assertion related to the description and controls
  • Management’s description of the scope of the examination and relevant control practices

SOC for Cybersecurity: a comparison to SOC 2

The AICPA guidance helps organizations better understand the scope, approach and deliverables for the SOC for Cybersecurity examination through a direct comparison to the SOC 2 examination. Organizations may determine it is appropriate to complete either a SOC for Cybersecurity examination or a SOC 2 examination – or may opt to do both in order to address different report user needs.

Within the following table is a summary of the key distinctions between the two examination options.


SOC for Cybersecurity


Subject matter

Focuses on an organization’s cybersecurity risk management program – an enterprise-wide examination

The following nine program components must be addressed:

  • Nature of business operations
  • Nature of information at risk
  • Program objectives
  • Inherent risk factors
  • Cybersecurity governance
  • Risk assessment process
  • Information and communications
  • Program monitoring
  • Cybersecurity control activities

Focuses on a service organization’s system related to the services it provides to customers – a specific examination relating to the systems and data involved in those services

The following five system components must be addressed:

  • Software
  • Infrastructure
  • Data
  • People
  • Procedures

Control criteria

TSP section 100, 2017 Trust Services Criteria may be used – If selected as the control criteria, organizations must address criteria for the Security, Availability and Confidentiality principles.

Other industry frameworks (e.g., NIST cybersecurity) meeting the AICPA’s definition of ‘suitable criteria’ may also be used.  

TSP section 100, 2017 Trust Services Criteria – Service organizations can select one or more of the following principles: Security, Availability, Confidentiality, Processing Integrity and/or Privacy.

Intended users

General use

Organization’s stakeholders (e.g., management, directors, investors, analysts, business partners)

Restricted use

Management, auditors, regulators or business partners of current or prospective customers

Connect with us.

For more information, contact Baker Tilly’s Cybersecurity & IT Risk practice. You can also download our ebook “Roadmap to Building a Sustainable Cybersecurity Management Program” or learn more about our cybersecurity services.

What every law firm Schedule K-1 packet generally should (and should not) have
Next up

What every law firm Schedule K-1 packet generally should (and should not) have