In a world where businesses are constantly looking for opportunities to cut costs, one area that can be tempting to go with the lowest bidder is that of a System and Organization Controls (SOC) 2 audit. A quick comparison of costs involved in producing a standard SOC 2 report often reveals a wide range of prices to produce what may seem like the same end result; this couldn’t be farther from the truth. There is a wide range of quality differences from CPA firms when it comes to conducting a SOC 2 audit. The American Institute of Certified Public Accountants (AICPA) is the governing body of the SOC 2, and therefore, only CPA firms are qualified to conduct SOC 2 attestation audits. A SOC 2 examination is a report on controls at a service organization relevant to security and availability, processing integrity, confidentiality, and privacy. SOC 2 reports have become the standard in evaluating service organization’s internal controls, and, like anything, if it isn’t done right, it isn’t worth the cost of the paper it is printed on. Contracting a low-cost provider of SOC services whose goal is to “check the box” of SOC compliance may ultimately lead to unforeseen consequences that could cause reputational harm and even loss of business opportunities for an organization. By thoroughly vetting all bidders and considering their experience and reputation as providers of SOC 2 services, these potential problems can be avoided, and choosing the right provider can also benefit an organization both now and in the future.
One advantage of choosing a provider with more experience and expertise, rather than just buying based off price, is the overall efficiency and effectiveness of the entire SOC 2 audit process from start to finish. A qualified SOC 2 provider can assist an organization throughout the SOC 2 audit process, beginning with the initial preparedness assessment. As a result, there will likely be a significant reduction of time and planning required by an organization’s staff in preparing for the audit. An experienced SOC 2 provider can work with an organization to assess their current control environment and make appropriate recommendations to ensure that, when the SOC 2 audit assessment period begins, the organization is well-prepared to meet the requirements of the SOC 2 Trust Services Criteria framework; this is done by ensuring that properly designed controls are in place, and the evidence needed to demonstrate the controls are operating effectively is available upon request. A low-cost provider of SOC 2 services might place more of the SOC 2 audit preparedness burden on the organization instead, costing more time and leaving the audit results uncertain and in jeopardy.
For a SOC 2, an organization should want to get an understanding of how their controls will be developed in the preassessment/readiness assessment process. The controls are the responsibility of an organization’s management, but a service auditor has a lot of input into those controls throughout the preassessment process. If an organization is going to be pushed into a template of predefined controls, they may want to step back and think about what they want to achieve with the SOC 2 report they are getting. Every organization is unique and will require some set of unique controls. Those controls will fluctuate as an organization’s environment changes. Will the SOC 2 service auditor be able to work with the organization to help their organization’s management develop controls that not only fulfill the Trust Service Criteria that is mandated in the SOC 2, but also help the organization secure its environment against possible incidents in the future? That concept is hard to put a dollar amount on and really comes down to why organizations need to ascertain why and what they want to get out of a SOC 2 audit.
Another advantage of employing a seasoned SOC 2 audit provider is the overall experience and expertise they bring to the audit. Reputable providers, CPA firms, are peer reviewed every three years. A potential client or actual client of a CPA firm can ask to see the results of that firm’s latest peer review. The SOC auditors will either come to one’s facility and interview the appropriate personnel in order to fully understand the in-scope environment, ensuring a comprehensive audit that fully considers the evidence, noting any deficiencies, and providing valuable recommendations to address these areas in the future or conduct it through a virtual scenario like Teams or Zoom. It is important that a client is comfortable with how the audit is done and decide which option is preferred. A reputable SOC service auditor will be able to provide either option. Since SOC audits are normally performed on an annual basis, developing a long-term relationship with a qualified provider can lead to an environment where outside stakeholders who rely on the SOC audit develop a high level of confidence that their data is safe, which may lead to further business opportunities. Low-cost providers of SOC services often don’t provide the recommendations needed to address control weaknesses and deficiencies in future audit periods. Those recommendations may save an organization from a very costly security incident in the future. The opportunity to develop a “trusted advisor” relationship is often missing, as low-cost providers often rotate managers on the engagements rather than sending out a similar team each year. This situation also adds to the time required on an organization’s part as questions that have been asked and answered will inevitably be asked again by the new team.
Another advantage of choosing a qualified SOC 2 audit provider is the timeliness in which the SOC 2 report is produced. A provider that specializes in SOC 2 reports knows the importance of producing the SOC 2 report in a timely manner once the audit period has ended and has the experience and resources to fulfill their obligations in this regard. Failure to produce the report within the proper time constraints diminishes the usefulness of the report due to its time-sensitive nature and may lead to the loss of key clients who rely on this information. Those who contract the SOC 2 services of lower cost providers may find that these providers do not have the resources or commitment to produce the SOC 2 report in a timely manner.
Evaluating the full range of considerations when choosing a SOC 2 auditor, and not just going with the lowest cost provider, can lead to these and other advantages and is a decision that can have implications for the future success of an organization. Developing a long-term relationship with a qualified SOC 2 provider can be a competitive advantage in a business environment, helping an organization to be seen as a trusted organization. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.