Why Are CPA Firms Only Doing SOC 2 Reports?
When selecting a SOC 2 independent auditor, there are several options out there ranging various levels of expertise and cost. This article covers why selecting the right Certified Public Accountant (CPA) firm to perform the SOC 2 audit can be invaluable to an organization’s security environment and provide a high level of reliability from one’s user entities that use the report in their vender management reviews of your organization.
SOC 2 Examinations
A System and Organization Controls (SOC) 2 examination is a report on controls at a service organization and includes principles such as security, availability, processing integrity, confidentiality, or privacy. These principles surrounding the SOC 2 were developed by the American Institute of Certified Public Accountants (AICPA) and outlines the requirements to be SOC 2 compliant. Compliance is based on Trust Services Criteria which outlines the five principles mentioned above. When it comes to SOC 2, security is required, and the other four are optional depending on organization. Availability may be added for SaaS providers or data centers, and Privacy or Confidentiality may be added for organizations that work with sensitive information or data such as healthcare or insurance companies.
Selecting a SOC 2 Auditor
There are several factors that can play into the decision to select a SOC 2 auditor. These can include Reputation and Experience, Qualifications and Technical Expertise, Resources and Capacity, Geographic Reach and Presence, Specialized Services, and Overall Cost/Value. When it comes down to cost with SOC 2 audits, they often fall under the “you get what you pay for” premise, and low-cost providers can often result in lower quality audits. This can leave an organization potentially open to vulnerabilities and controls that don’t fully cover their environment. User Entities or customers rely on this report to comply with their vendor security requirements or contractual obligations. A below average report can increase liabilities for all organizations involved. If something goes wrong down the road where a user entity relied on the SOC 2 report of an organization, and it was done has a “checklist” audit, the organization will end up paying way more in the future to solve the nightmare created with a below average SOC 2 examination. Cost can be an important piece of the puzzle when selecting a SOC 2 auditor, but a combination of Reputation, Qualifications and Credentials, and additional services can also play a key role in the selection process.
CPA firms are providers of SOC reports. When it comes to performing a SOC 1, SOC 2, or SOC 3 engagement, choosing the right CPA firm can help provide assurance to your customers and allow for better security for an organization.
For more information, be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Chris joined McKonly & Asbury in 2019 and is currently a Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology consulting practice, performing SOC 1, SOC 2, and SOC 3 engagements, as… Read more