One question our team hears from non-industry contacts and friends is why do CPA firms perform SOC 2 audits?
The technical reasons why CPA firms perform SOC 2 audits are pretty simple:
SOC audits are attestation engagements governed by the Association of International Certified Professional Accountants (AICPA).
Attestation standards, such as SSAE18, and the #SOC2 Trust Services Criteria, were codified by the AICPA.
CPA firms must perform SOC 2 audits according to the AICPA's attestation standards.
From a non-technical perspective, there are several reasons CPA firms perform SOC 2 audits:
CPAs are subject matter experts in risk management. It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.
CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.
Depending on an organization's software, infrastructure, people and data, CPAs can determine the high-risk components that should be the focus of the SOC 2 audit.
CPAs understand that SOC 2 audits are not compliance and certifications. CPAs understand how to use their professional judgment to determine if security risks are mitigated.
In our case here at Schneider Downs, we specialize in understanding cybersecurity risk, which some CPA firms do not have.
The next question we usually hear is how do CPA firms actually perform SOC 2 audits? Typically, they divide SOC 2 audits into the following phases (length and timing may vary):
One to two months prior to Fieldwork phase.
Confirm examination period for a Type 2 or "as of date" for a Type 1.
Confirm in scope #SOC2 categories.
Confirm audit timeline, including key milestones and expected report issue date.
Review client's controls and system description.
Schedule audit fieldwork, including interviews and walkthroughs with control owners.
Provide document request list to the client.
Two to three weeks to complete.
Inspect evidence to support the design (Type 1) and operating effectiveness (if Type 2) of controls.
Interview control owners and perform walkthroughs as necessary.
Document tests performed and results based on audit standards.
Communicate audit results with the client.
Four to six weeks to complete after the Fieldwork phase completed.
Perform required quality control procedures to ensure audit standards were followed correctly.
Develop the SOC 2 draft report.
Provide draft report to the client for review.
Issue final SOC 2 report.
There will be more involved with each phase, but hopefully, this provides some insight when starting down your SOC 2 journey.
Another important note is that finding the right CPA for your SOC 2 audit is not an easy or pleasant experience. Take the time to find the right one and you will be satisfied. Here are some factors to consider when searching for a CPA firm:
Clear and Concise Responses - Do they answer your questions in CPA lingo or do they communicate requirements in terms you understand?
Educator Mindset - Will they educate you on the process and guide you throughout the audit?
Audit Process - Does their audit process make sense at a high level?
Competency - Do they understand your tech stack? If you are cloud native, ask them how they would audit cloud services, such as S3; if you get a poor answer or blank stares, it’s time to move on.
Audit Tools - Will they use software that makes the audit easier? Ask for a demo.
Audit Approach - Will they take a "by the book" approach or will they be fair and reasonable and willing to collaborate.
Management Involvement - Talk with a manager in the firm's SOC 2 practice as part of the evaluation process. These are the people that will be driving the audit, not the salesperson.
Leadership - Do managers exhibit qualities that show they care about their employees?
Price - Is the price fair and reasonable?
Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients' expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc.
About SOC 2 Reports
With SOC 2 reports, organizations decide which categories to include in the scope of the examination. This flexibility means reports are unique to each company, while providing a consistent framework to evaluate whether organizations meet the criteria for the categories included in the examination. These examinations are designed for a broad range of users that need information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. The use of this report is restricted. These reports can play an important role in oversight of the organization, vendor management programs, and internal corporate governance and risk management processes.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.