Cyber Audit Directory: Purpose and Scope

The Cyber Audit Authority directory indexes professional service providers operating in the cybersecurity audit, assessment, and compliance verification sector across the United States. This page describes how the directory is structured, what standards govern inclusion, and how the geographic and categorical scope of listings is determined. Service seekers, procurement officers, and compliance researchers navigating the cybersecurity assurance market will find this reference useful for understanding what the directory covers and what it does not.

How entries are determined

Listings in the Cyber Audit Directory are determined by a structured evaluation process applied uniformly across all candidate entries. The evaluation assesses whether a provider operates in one or more of the recognized cybersecurity audit and assessment disciplines, holds relevant professional credentials, and demonstrates verifiable activity within the sector.

The cybersecurity audit sector encompasses four primary service categories, each with distinct scope boundaries:

1. IT General Controls (ITGC) audits — assessments of the foundational controls governing information systems, including access management, change management, and operations controls. These are most commonly required under financial reporting frameworks such as the Sarbanes-Oxley Act (SOX), enforced by the Securities and Exchange Commission (SEC).
2. Third-party attestation and SOC reporting — structured engagements performed under the American Institute of Certified Public Accountants (AICPA) AT-C Section 320 framework, producing System and Organization Controls (SOC 1, SOC 2, SOC 3) reports.
3. Cybersecurity risk assessments — structured evaluations aligned to frameworks such as the NIST Cybersecurity Framework (CSF), NIST SP 800-30, or sector-specific standards such as the HIPAA Security Rule administered by the HHS Office for Civil Rights.
4. Regulatory compliance audits — audits performed against specific regulatory mandates, including PCI DSS (governed by the PCI Security Standards Council), FISMA (administered through OMB Circular A-130), and state-level data security statutes such as the California Consumer Privacy Act (CCPA) enforced by the California Privacy Protection Agency (CPPA).

Providers primarily offering penetration testing, managed detection, or incident response without an audit or attestation function are classified separately and fall outside the scope of this directory.

Geographic coverage

The directory operates at national scope, covering service providers licensed or registered to operate in at least one U.S. jurisdiction. Listings are not restricted to providers headquartered in the United States — multinational firms with a U.S. service footprint and U.S.-facing audit practice are eligible — but all listed providers must demonstrate capacity to serve U.S.-based clients under applicable U.S. regulatory requirements.

Geographic filtering within the directory is structured at the state level, allowing users to identify providers operating in specific jurisdictions. This is operationally significant because state-level cybersecurity audit obligations vary: New York's NYDFS Cybersecurity Regulation (23 NYCRR 500) imposes independent audit and certification requirements on covered financial entities, distinct from federal baselines. Similarly, Texas and Virginia have enacted sector-specific security assessment obligations that differ from those under the federal FISMA regime.

Providers operating exclusively in a single metro area or regional market are included where their documented service scope meets inclusion criteria — geography is a filter, not a threshold for quality.

How to use this resource

The directory is structured for rapid navigation by service type, geographic region, credential held, and regulatory framework served. The How to Use This Cyber Audit Resource page provides a detailed walkthrough of filter logic and search parameters.

At the broadest level, researchers and procurement officers should orient entry into the directory around 3 decision variables:

• Regulatory mandate — what compliance framework is driving the audit requirement (SOX, HIPAA, PCI DSS, FISMA, NYDFS, etc.)
• Attestation type — whether the engagement requires an independent licensed CPA firm (required for SOC reporting under AICPA standards) or whether a non-CPA cybersecurity firm with recognized certifications is sufficient
• Organizational scope — whether the engagement covers a single system boundary, an enterprise IT environment, or a supply chain / third-party vendor population

The distinction between CPA-firm-led attestation engagements and cybersecurity firm-led assessment engagements is a critical classification boundary. SOC 2 Type II reports, for instance, must be issued by a licensed CPA firm under AICPA professional standards — a constraint that eliminates a large portion of the broader cybersecurity consulting market from eligibility for that specific service type.

Standards for inclusion

Inclusion in the Cyber Audit Authority directory requires that a listed provider meet at least one of the following qualification thresholds:

• Professional licensure: CPA firm licensure in at least one U.S. state, where the firm's practice includes IT audit or cybersecurity attestation services
• Recognized certification body membership: Active status as a QSA (Qualified Security Assessor) approved by the PCI Security Standards Council, or as an accredited third-party assessment organization (3PAO) recognized under the FedRAMP program administered by GSA
• Credentialed staff: Demonstrated employment of personnel holding credentials recognized by the Information Systems Audit and Control Association (ISACA) — including CISA (Certified Information Systems Auditor) or CRISC (Certified in Risk and Information Systems Control) — or the (ISC)² CISSP credential in an audit advisory capacity

Providers are reviewed against publicly verifiable indicators: state CPA board records, PCI SSC QSA company listings, FedRAMP marketplace entries, and ISACA's credential verification system. Self-reported credentials without a verifiable public record are not accepted as qualifying evidence.

Listings do not constitute endorsement, referral, or performance certification. The directory reflects documented presence in the sector, not a quality ranking. Reported changes to a provider's credentials, regulatory standing, or operational status are reviewed on a rolling basis, with removal initiated where disqualifying information is confirmed through a named public source.