Have questions about the Moss Adams combination? We're here to help. Submit your inquiry.
Loading...
SOC examination for cybersecurity for remote workplaces | Baker Tilly
Article
Strengthening cybersecurity: How SOC audits address remote work risks
Sept. 28, 2020 · Updated June 30, 2025 · Authored by Mark Hurst
With an increase in employees working from home, there’s a new set of risks that security executives and teams must address as the workforce moves from physical offices to working remotely.
5.2% of employees worked from home in 2017. Since the pandemic, that number is closer to 25% or 30%. Some sectors, such as technology, have effectively gone 100% remote. According to many surveys of executives and office employees, most desire a more flexible working arrangement and believe they’ll continue to work from home one to two days a week in the future.
Implementing a work-from-home strategy has impacted management’s risk environment and corresponding internal controls — from execution controls and virtual private network (VPN) access to assessing the infrastructure changes required to support a large remote workforce.
Here, we’ll outline how cyber-risks are increasing as companies transition to remote work and the ways a System and Organization Controls (SOC) examination for Cybersecurity can help your organization.
Increased risks
With a greater reliance on collaboration tools and technologies for remote workers, there has been a marked increase in phishing attempts and ransomware attacks. In addition, changes in regular operations could mean that standard monitoring controls no longer take place.
Monitoring controls
Robust monitoring controls to counteract these threats are a necessity along with vigilant oversight from management. Companies should evaluate if they can still obtain sufficient evidence to verify the functioning of internal control operation effectiveness. This includes checking that all monitoring functions remain in effect and documenting those for eventual use as audit evidence.
As a result of the changing work-from-home environment, boards of directors and senior executives of organizations see an increased need to better understand their cybersecurity risks. One solution is a SOC examination, commonly referred to as a SOC audit, for Cybersecurity.
SOC audit for cybersecurity
A SOC audit for Cybersecurity can help provide a reporting mechanism that organizations can use to communicate relevant information about the effectiveness of their Cybersecurity Risk Management Program (CRMP).
This examination provides an independent, entity-wide assessment that gives boards, investors, business partners, and other stakeholders confidence in an organization’s CRMP. This can help organizations better identify and contain potential cyberthreats.
Following are some commonly asked questions about this process.
Who’s the intended audience?
This audit can benefit any type of organization, whether it’s a business or not-for-profit.
The audit is designed to meet the needs of a broad range of users, but the intended audience is often board members, management, regulators, and analysts.
The report is appropriate for general use; its use isn’t restricted to specified parties. Nevertheless, practitioners may decide to restrict the use of their report to specified parties to limit the distribution of the report to only those who need to know or who have specifically requested the information.
Why do you need a SOC audit for cybersecurity?
Management and directors commonly want information about the effectiveness of an entity’s cybersecurity controls.
Investors, analysts, and others could request an examination because their decisions might be affected by management’s process for managing cybersecurity risks.
The benefit is having transparent insight into the entity’s CRMP, which addresses the risks and mitigation strategies to combat cyberattacks.
What’s management’s responsibility?
Management is responsible for all of the controls within the entity’s CRMP, regardless of whether those controls are performed by the entity or by a service organization.
While the scope of the soc report can be limited to a portion of the entity or to the larger organization as a whole, the description criteria is required to address all controls within the entity’s CRMP.
What’s the subject matter of management’s report and assertion?
The subject matter of a SOC audit for Cybersecurity is the entity’s CRMP.
The report contains a written description that contains the CRMP control objectives and related controls. The controls within the program achieve the entity’s cybersecurity objectives.
What are the contents of the report?
The contents of the SOC audit for Cybersecurity report contains three sections.
An opinion by the independent service examining third-party stating whether or not the description of the entity’s CRMP was presented in accordance with the description criteria.
Written assertion by management stating that the description of the entity’s CRMP was presented in accordance with the description criteria, and controls within the program were effective in achieving the entity’s cybersecurity objectives based on the control criteria.
Written description, or narrative, that contains the CRMP control objectives and related controls.
How do you select a security framework?
Select the framework that best meets the needs of the organization and base the SOC audit for Cybersecurity on that framework.
The National Institute of Standards and Technology (NIST) guidelines are generally the security industry golden rule; there are quite a few security assessments that are based on the different NIST 800-xx rules.
A SOC audit for Cybersecurity can also be based on the American Institute of Certified Public Accountants (AICPA) SOC Security principles for security, availability, and confidentiality. Such criteria are suitable for use as control criteria.
Additional security frameworks to consider
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
International Organization for Standardization (ISO)/IEC 27001/27002 and related standards
U.S. Department of Homeland Security requirements for annual Federal Information Security Management Act (FISMA) reporting
Federal Financial Institutions Examination Council (FFIEC) questionnaires
Control Objectives for Information and Related Technologies (COBIT) five
Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework
Health Insurance Portability and Accountability Act (HIPAA) Security Rule
Payment Card Industry Data Security Standard (PCI DSS) 3.2
NIST Special Publications 800 series
HITRUST CSF
Cybersecurity disclosures for SEC companies
In addition, public companies must routinely prepare disclosures about cybersecurity risks and incidents.
In an SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures published on Feb. 26, 2018, the SEC states companies should consider the materiality of cybersecurity risks and incidents when preparing the required disclosure in registration statements under the Securities Act of 1933, the Securities Exchange Act of 1934, and periodic and current reports under the Exchange Act.
