SOC 2 Compliance Audit for Cybersecurity

In 2017, AICPA developed a SOC 2 cybersecurity reporting framework that organizations can use to demonstrate to key stakeholders the extent and effectiveness of an entity’s cybersecurity risk management program. Management formulation of objectives is critical to cybersecurity risk management programs. Management establishes cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They may vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors.

Why SOC 2 for Cybersecurity?

Cybersecurity risk has become a front-and-center issue in today’s global economy. The media reports cyberattacks ranging from major customer records thefts and healthcare records breaches to political incidents. Unfortunately, we are living in a world where the risk of a cyber intrusion is no longer a question of if, but a question of when. In fact, according to the World Economic data fraud or theft, and cyberattacks rank as top risks on their list of Top Ten Risks in Terms of Likelihood.


Cybersecurity brings extraordinary challenges. Organizations face varying threats with varying impacts—all in an environment marked by rapid technological change. Furthermore, various stakeholders must gather information and converse about cybersecurity between and among each other. Cybersecurity challenges require every sector of the economy to play a role. While government policy and activity will be critical in promoting cybersecurity resilience, the private sector's energy, agility, and innovation must be harnessed as well. The auditing profession will do its part by playing a key role in helping organizations—public and private—adapt to this challenging landscape.

Given the high-profile nature of cyber-attacks on corporations, both the demand for information related to cybersecurity—and the need to facilitate robust conversations on these topics—have grown exponentially across major stakeholder groups. Board members: Boards of directors need information about the entity’s cybersecurity program and the cyber threats facing the entity to help the boards fulfill their oversight responsibilities. They also want information that will help them evaluate the entity’s effectiveness in managing cybersecurity risks.

Management Assertion

Management will assert the presentation of Management's Description in Section III of a SOC 2 report of the entity’s cybersecurity risk management program in accordance with the description criteria, and whether the controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on a suitable set of control criteria. One example of suitable control criteria is the 2017 Trust Services Criteria (criteria for security, availability, confidentiality, processing integrity, and privacy).

Typical Scope

A SOC 2 Cybersecurity Risk Management Examination usually addresses an entity-wide program or a portion of it. The examination may be limited to one or more specific business units, segments, or functions of an entity when those units, segments, or functions operate under an entity-wide cybersecurity risk management program or under an independent cybersecurity risk management program.