A SOC for Cybersecurity examination from an independent CPA firm culminates in a report that describes the effectiveness of your cybersecurity risk management program. The report can be presented to your organization’s board of directors, analysts and investors, business partners, industry regulators and customers to demonstrate that there are effective cybersecurity controls in place to detect, respond to, mitigate and recover from organizational breaches and other security events.
Not sure if your organization needs a SOC examination? Take our SOC assessment quiz to find out.
Ready to Get Started Contact us for more information on our SOC solutions and capabilities.
Analysts and Investors
They may need to understand the cybersecurity risks that could threaten the achievement of your organization’s operational, reporting and compliance (legal and regulatory) objectives and, consequently, harm your organization’s value and stock price.
Board of Director Members
They may require information about the cybersecurity risks an organization faces and the current cybersecurity risk management program to fulfill their oversight responsibilities. They may also want information from independent third-party assessors to help them evaluate management’s effectiveness in managing cybersecurity risks.
Business Partners
They may require information about your organization’s cybersecurity risk management program as part of their overall risk assessment. This information is intended to help business partners determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to your organization.
Customers and Industry Regulators
They may benefit from information about an organization’s cybersecurity risk management program to support their monitoring and oversight roles.
Audience – Typically requested by customers and stakeholders concerned with data security and privacy in outsourced services.
Scope – Primarily for service organizations that need to report to users on security, availability, confidentiality, privacy or processing integrity commitments.
Description Criteria – Includes information on an in-scope Service Commitments, Infrastructure, Software, Data, People, Processes and Procedures, and relevant aspects of the Control Environment
Controls – Uses the AICPA’s Trust Services Criteria (TSC) for assessments. The TSC includes security, availability, confidentiality, privacy and/or processing integrity.
Timing – SOC 2 timing is up to the organization, but is typically an annual activity.
Audience – Intended for a broader range of stakeholders, including boards of directors, investors and business partners, seeking assurance on an organization’s cybersecurity posture.
Scope – Can be applied to any organization even those that do not need to perform SOC 2.
Description Criteria – Includes information on an entity’s cybersecurity risk management program. Elements that could be included are cybersecurity risk management objectives, critical assets and data, cybersecurity risk management governance, assessments and internal controls.
Controls – Organization can choose the framework they wish to measure against. This could be the SOC 2 TSC or another framework such as NIST Cyber Security Framework or ISO 27001 Information Security Management System.
Timing – SOC for Cybersecurity timing is up to the organization, but is typically an annual activity.
Recognized for our deep SOC experience and established service model, we are leaders in the field and sought-after speakers on SOC reporting requirements both regionally and nationally. Key benefits of working with Schneider Downs include:
Visit our SOC Resource Library for helpful thought leadership, including case studies and FAQs.
Schneider Downs employs a distinctive approach to SOC reports by blending the expertise of IT, internal audit, and external audit professionals. Our integration of diverse knowledge and project management skills ensures we meet and exceed our clients’ expectations. To ensure our SOC reports meet your needs, we employ a rigorous Quality Control system and have peer reviews completed by external assessors on a regular basis. To explore how we can support your organization, please contact us to get started.
Email us: [email protected]
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and consulting services to public and private companies, not-for-profit organizations and global companies. We also offer risk advisory, transaction advisory, digital consulting, wealth management, retirement plan solutions and investment banking services. Schneider Downs serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), metropolitan Washington (DC) and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.
© 2024 Schneider Downs & Co., Inc. Maryland license number 35239.
Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.
