Are You Paying Too Little for Your SOC Report?

Date April 29, 2022
Authors Matthew Schiavone, CPA, CISSP, CISA

Preposterous question? Maybe. Paying less for something, especially if the work seems satisfactory to you, can be a good thing. However, when it comes to SOC (System and Organization Controls) reports, it’s not just about you. Too many SOC reports either are of poor quality or lack utility, or both. These reports have a purpose, internally as well as externally, and you want to be sure your report can be relied on to accommodate the reasons you invest in them.

What you pay for

First, as with any audit, you’re paying for an independent, professional examination. In today’s digital world, cybersecurity and information assurance is critical, and for the sake of your business you want an independent review and the opportunity to learn about any weaknesses or other areas where you need to make improvements. An SOC audit should not consist of a rubber stamp; it shouldn’t be a check-the-box exercise, which can be the case with a low bid.

Secondly, there’s a good chance you undergo an SOC audit because of customer demand. Even if it is a proactive measure, your customers request these reports. Unfortunately, in the past it wasn’t uncommon for customers to request a report, then file it away without getting past the cover page. The request might have originated from a need to demonstrate their vendor’s risk management process, or because they know their auditors will demand them.

But the times are changing. Your customers are scrutinizing your SOC reports, and they need to provide your customers crucial information about your systems, operations, and internal controls. Poor quality reports can leave your customers questioning the legitimacy of … well … everything—the auditor, the auditor’s tests, the audit results, and even management’s decisions.

Some ways you can determine that you’re not getting a quality report:

The auditor testing only includes inquiry. Per American Institute of Certified Public Accountants (AICPA) guidance, when testing a control, auditors cannot rely on inquiry alone. They must conduct inspection, observation, or re-performance in conjunction with any inquiry. However, it’s not uncommon to find reports where an auditor’s testing only includes inquiry. Not only is inquiry a weak form of testing and not in conformity with AICPA guidance, readers can’t and don’t rely on it.

The issuing CPA does not undergo peer review. SOC reports can only be issued by CPAs, and only by CPAs who undergo peer review. If the issuing CPA firm doesn’t undergo peer review, the report is not legitimate. You can check to determine whether a CPA has undergone peer reviews through this link: https://peerreview.aicpa.org/public_file_search.html.

Frankenstein’s monster. Does it appear that sections, paragraphs, and sentences have been cut and pasted to make up the report? Not only does this signal poor quality, it could also mean the auditor is blindly transferring sections from one report to another. Such a practice, at the very least, questions the legitimacy of the report.

Why pay more

Cybersecurity professionals. Your auditor should have professionals with the proper training, experience, and credentials. Look for auditors with the CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), and CISM (Certified Information Security Manager) designations. Sometimes firms will discount their services given the lack of professional resources on staff. Is that a sacrifice you want to make?

Quality control. There are, or should be, back-end processes supporting the audit that might not be apparent because as they are not customer-facing—such as quality control. Quality control means more than correcting grammatical and formatting errors; it should serve to ensure conformity with AICPA standards. Because quality control is not customer-facing, it is an easy corner to cut. But cutting corners often leads to oversights or errors that compromise the legitimacy of the audit.

Assurance. The audit is a mechanism to evaluate and provide information you can use to improve your security controls. A more thorough, professional audit might be a little more expensive, but it could also be the difference between security and experiencing a much costlier security breach.

For more information on SOC audits and reporting, contact HBK Risk Advisory Services at 724-934-5300, or by email at mschiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.