Reporting on SOC for Cybersecurity Engagements and Cyber Risk Management Programs

Feb 7, 2025

How SOC for Cybersecurity engagements evaluate management's cyber risk management description, assertion, controls, criteria, and practitioner opinion.

On this page

SOC for Cybersecurity is an attestation engagement over an entity’s cybersecurity risk management program. It is not a financial statement audit, not a penetration test, and not a guarantee that no breach will occur. The practitioner evaluates management’s description and whether controls were suitably designed and operated effectively to achieve the entity’s cybersecurity objectives.

For AUD, the key is to distinguish SOC for Cybersecurity from SOC 1 and SOC 2. SOC 1 is tied to controls relevant to user entities’ internal control over financial reporting. SOC 2 reports on controls at a service organization using trust services criteria. SOC for Cybersecurity is broader: it addresses an entity-wide cybersecurity risk management program.

    flowchart TD
	    A["Management cybersecurity risk management program"] --> B["Management prepares description"]
	    B --> C["Management makes assertion"]
	    C --> D["Practitioner evaluates description criteria"]
	    C --> E["Practitioner tests controls against suitable criteria"]
	    D --> F["Opinion on whether description is presented in accordance with criteria"]
	    E --> G["Opinion on whether controls were suitably designed and operated effectively"]
	    F --> H["SOC for Cybersecurity report"]
	    G --> H

What the Engagement Covers

Component	Meaning
Cybersecurity risk management program	The entity’s policies, processes, people, controls, and monitoring for cyber risk.
Management’s description	Narrative explaining objectives, risks, controls, governance, communication, and monitoring.
Description criteria	Criteria used to evaluate whether management’s description is presented fairly.
Management’s assertion	Management’s statement about the description and controls.
Control criteria	Criteria used to evaluate whether controls are suitably designed and operating effectively.
Practitioner’s opinion	Independent opinion based on examination procedures.

The report provides assurance on the cybersecurity risk management program as described. It does not certify that every cyber risk has been eliminated.

Description and Assertion

Management is responsible for the cybersecurity risk management program, the description, and the assertion. The practitioner examines management’s presentation and controls.

Management element	What it should address
Nature of business and information at risk	What data, systems, and operations the program protects.
Cybersecurity objectives	What the program is designed to achieve.
Governance structure	Oversight, accountability, roles, and responsibilities.
Risk assessment process	How threats, vulnerabilities, and risks are identified and evaluated.
Control activities	Policies, procedures, and controls used to manage cyber risk.
Communication	How cyber information is communicated internally and externally.
Monitoring	How the program is evaluated and improved over time.

If management’s description omits important parts of the program or describes controls that do not exist, the practitioner must evaluate the reporting effect.

Criteria and Control Testing

SOC for Cybersecurity uses suitable criteria for the description and for control evaluation. Trust Services Criteria are commonly relevant to security-oriented control evaluation.

Control area	Example practitioner focus
Logical access	MFA, privileged access, provisioning, termination, and periodic review.
Change management	Secure changes to applications, infrastructure, and security configurations.
Risk assessment	Identification and assessment of cyber threats and vulnerabilities.
Monitoring	Log review, alert escalation, vulnerability scanning, and security metrics.
Incident response	Detection, containment, recovery, communication, and post-incident review.
Vendor risk	Third-party access, cloud providers, SOC reports, and contract responsibilities.
Business continuity	Backups, restoration testing, recovery objectives, and continuity plans.

Testing design asks whether the control is capable of achieving the objective. Testing operating effectiveness asks whether the control operated as designed during the period.

Report Types and Users

SOC for Cybersecurity can be useful to boards, investors, customers, regulators, business partners, or other stakeholders who need a structured view of the entity’s cyber risk management program.

Report feature	Exam point
Entity-wide focus	The engagement addresses the cybersecurity risk management program, not only one financial application.
Attestation report	A CPA practitioner provides an opinion under attestation standards.
Management responsibility	Management owns the program, description, assertion, and controls.
No breach guarantee	Effective controls reduce risk but do not eliminate all cyber risk.
Audience needs	The report can communicate program maturity and assurance without disclosing every sensitive technical detail.

The report should balance transparency with security. It should provide enough information for users to understand the program and opinion without unnecessarily revealing exploitable details.

Comparison With Other SOC Reports

Report	Main focus	Common user need
SOC 1	Controls at a service organization relevant to user entities’ ICFR.	User auditors and user entities need financial reporting control assurance.
SOC 2	Controls at a service organization related to trust services criteria.	Users need assurance over security, availability, processing integrity, confidentiality, or privacy.
SOC 3	General-use summary of SOC 2-type subject matter.	Broad audience wants high-level assurance.
SOC for Cybersecurity	Entity-wide cybersecurity risk management program.	Stakeholders need assurance over the organization’s cyber risk management program.

Do not choose SOC for Cybersecurity when the fact pattern asks about a payroll processor’s controls relevant to a user entity’s financial statements. That is usually SOC 1 territory.

Reporting Problems

Problem	Possible reporting effect
Description is incomplete or misleading	Practitioner may need to modify the opinion on the description.
Controls are not suitably designed	Practitioner may modify the control opinion.
Controls did not operate effectively	Practitioner evaluates severity and may modify the opinion.
Scope limitation	Practitioner may disclaim or withdraw, depending on circumstances.
Sensitive information cannot be disclosed	Practitioner evaluates whether the description remains fair and sufficient.

The engagement does not become clean because management has a cybersecurity program. The report depends on whether the description is fair and controls meet the criteria.

Exam Traps

SOC for Cybersecurity is not SOC 1 and is not primarily about user entities’ ICFR.
It is not a penetration test or guarantee that no cyber breach will occur.
Management is responsible for the cyber risk management program, description, assertion, and controls.
The practitioner provides an attestation opinion based on suitable criteria and evidence.
Design effectiveness and operating effectiveness are different conclusions.
A high-level report should not omit information necessary for the description to be fair.
Cybersecurity assurance can be useful to stakeholders, but it does not replace the financial statement audit.

Quick Review

Use this sequence for SOC for Cybersecurity questions:

Identify whether the subject is an entity-wide cyber risk management program.
Separate management’s responsibilities from the practitioner’s responsibilities.
Evaluate management’s description against description criteria.
Evaluate controls against suitable control criteria.
Distinguish design effectiveness from operating effectiveness.
Compare the fact pattern with SOC 1, SOC 2, and SOC 3 before selecting the report type.
Remember that the report provides assurance, not a breach-free guarantee.

Review Questions

### What is a SOC for Cybersecurity engagement primarily about? - [ ] A financial statement audit of cybersecurity expenses. - [x] An attestation engagement over an entity's cybersecurity risk management program. - [ ] A mandatory SEC audit for every public company. - [ ] A penetration test with no management assertion. > **Explanation:** SOC for Cybersecurity is an attestation engagement over the entity's cyber risk management program. ### Who is responsible for management's description and assertion? - [ ] The service auditor alone. - [x] Management. - [ ] The users of the report. - [ ] The insurance carrier. > **Explanation:** Management owns the program, description, assertion, and related controls. ### What does the practitioner evaluate in a SOC for Cybersecurity engagement? - [ ] Only the number of firewalls purchased. - [x] The description and whether controls are suitably designed and operating effectively against suitable criteria. - [ ] Whether the entity will never experience a breach. - [ ] Whether the financial statements are fairly presented. > **Explanation:** The practitioner examines the description and controls; the engagement is not a financial statement audit or breach guarantee. ### Which report is most directly focused on controls relevant to user entities' internal control over financial reporting? - [x] SOC 1. - [ ] SOC for Cybersecurity. - [ ] SOC 3 seal only. - [ ] A tax compliance report. > **Explanation:** SOC 1 reports address controls at a service organization relevant to user entities' ICFR. ### Which statement about SOC for Cybersecurity is correct? - [ ] It guarantees no cyber incident can occur. - [x] It can provide stakeholders assurance about the entity's cybersecurity risk management program. - [ ] It replaces all SOC 1 reports. - [ ] It is only a list of hardware assets. > **Explanation:** The report provides assurance over the described program and controls, not a guarantee against breach. ### What is design effectiveness? - [ ] Whether a control was performed every day during the period. - [x] Whether a control is suitably designed to achieve its objective if it operates as designed. - [ ] Whether the control costs less than budgeted. - [ ] Whether the entity has cyber insurance. > **Explanation:** Design effectiveness asks whether the control is capable of achieving the intended objective. ### What is operating effectiveness? - [ ] Whether management likes the control. - [ ] Whether the control is described in a brochure. - [x] Whether the control operated as designed during the specified period. - [ ] Whether the control is optional. > **Explanation:** Operating effectiveness is about actual operation over the period. ### Which item would usually belong in management's cybersecurity description? - [ ] Competitor market share. - [x] Governance, risk assessment, controls, communication, and monitoring for cyber risk. - [ ] The auditor's billing rate. - [ ] The exact password of the chief information officer. > **Explanation:** The description covers the program structure and controls, not irrelevant or sensitive details. ### What should the practitioner do if the cybersecurity description is materially misleading? - [ ] Ignore it because controls exist. - [x] Evaluate the effect on the report and modify the opinion if necessary. - [ ] Automatically issue a clean report. - [ ] Convert the engagement to a compilation. > **Explanation:** A misleading description can require report modification. ### What is a common trap when selecting SOC for Cybersecurity? - [ ] Recognizing that it is entity-wide. - [x] Selecting it for a service organization's controls relevant to a user entity's financial statement audit. - [ ] Distinguishing it from a financial statement audit. - [ ] Remembering management's assertion. > **Explanation:** Controls relevant to user entities' ICFR usually point to SOC 1, not SOC for Cybersecurity.

Revised on Monday, June 15, 2026

Cybersecurity

Browse Auditing and Attestation (AUD)