Selecting a SOC 2 Audit Firm
A SOC 2 is a report on controls at a service organization relevant to the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are the established industry standard for assessing and evaluating a service organization’s internal controls and, therefore, a necessity for companies to manage the risk of using service organizations. The AICPA is the governing body for SOC 2 and mandates that only CPA firms are qualified to issue SOC 2 audit opinions. Many CPA firms provide SOC 2 audits, however, selecting the right SOC 2 auditor requires evaluating audit firms based on the following four characteristics.
Experience and Technical Expertise
When evaluating potential audit firms, it is crucial to find a firm with a history of providing high-level information technology auditing and consulting services. Successful firms with long histories of delivering SOC 2 audit services and internal control consulting services provide the necessary experience to help any service organization through the challenges of SOC 2. Service organizations vetting firms should evaluate the combined experience including the depth and skill set of audit team members for each firm. In addition to evaluating experience, service organizations should also assess the technical expertise of audit team members, such as certifications including Certified Information Systems Auditors (CISA) and Certified Internal Auditors (CIA). The combination of broad experience and technical knowledge should provide service organizations with an audit firm that is a trusted partner to complete the SOC 2 audit.
Audit Approach
Service organizations should also evaluate the audit firm’s audit approach. Each audit firm performs SOC 2 audits using different client service and project management approaches. Every service organization faces challenges in completing the SOC 2 audit, and one approach to the SOC 2 audit does not suit every service organization. Service organizations should evaluate their unique challenges and select a firm whose approach is best suited to their organization. They should also select an audit firm that understands every organization is different and requires unique controls to meet the SOC 2 requirements. In addition, priority should be placed on audit firms that provide a collaborative audit approach that takes the necessary time to discuss an organization’s changes, challenges, and issues that may impact their business. Controls will fluctuate as an organization’s environment changes; SOC 2 audit firms that can provide a tailored collaborative approach will help an organization manage those changes.
Comprehensive Cybersecurity Services
Service organizations should also evaluate SOC 2 firms with a robust and established suite of cybersecurity assurance services. Audit firms that provide audits and assessments for HIPAA compliance, CMMC, and HITRUST provide a full range of assurance services allowing the service organization to grow and evolve without changing their SOC 2 audit firm. Additionally, service organizations should evaluate firms that provide information security consulting services including information security policy development, IT risk assessments, disaster and business continuity planning, and information security training. Selecting a firm with a broad scope of services and experience beyond SOC 2 services provides the service organization with a partner that can provide additional insights and recommendations to improve security posture and overall compliance readiness.
Commitment to Client Service
Choosing a firm that values client relationships and provides excellent customer service will make the SOC 2 audit process smoother and less disruptive to the organization and its employees. SOC 2 firms providing a client-centric approach allow service organization management and audit teams to develop an agreed-upon timeline for, not only the deliverable, the communication of status updates, open items, and issues. Firms that focus on client service provide the service organization with a SOC 2 audit firm that does more than meet deadlines; they provide a quality experience during the audit process.
When making a decision on a CPA firm, set up a consultation with McKonly & Asbury to discuss your specific needs, understand our approach, and ensure all of your requirements for your SOC 2 audit get met. For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more