Are You Paying Too Little for Your SOC Report?

Date April 29, 2022
Authors Matthew Schiavone, CPA, CISSP, CISA

Preposterous question? Maybe. Paying less for something, especially if the work seems satisfactory to you, can be a good thing. However, when it comes to SOC (System and Organization Controls) reports, it’s not just about you. Too many SOC reports either are of poor quality or lack utility, or both. These reports have a purpose, internally as well as externally, and you want to be sure your report can be relied on to accommodate the reasons you invest in them.

What you pay for

First, as with any audit, you’re paying for an independent, professional examination. In today’s digital world, cybersecurity and information assurance is critical, and for the sake of your business you want an independent review and the opportunity to learn about any weaknesses or other areas where you need to make improvements. An SOC audit should not consist of a rubber stamp; it shouldn’t be a check-the-box exercise, which can be the case with a low bid.

Secondly, there’s a good chance you undergo an SOC audit because of customer demand. Even if it is a proactive measure, your customers request these reports. Unfortunately, in the past it wasn’t uncommon for customers to request a report, then file it away without getting past the cover page. The request might have originated from a need to demonstrate their vendor’s risk management process, or because they know their auditors will demand them.

But the times are changing. Your customers are scrutinizing your SOC reports, and they need to provide your customers crucial information about your systems, operations, and internal controls. Poor quality reports can leave your customers questioning the legitimacy of … well … everything—the auditor, the auditor’s tests, the audit results, and even management’s decisions.

Some ways you can determine that you’re not getting a quality report:

The auditor testing only includes inquiry. Per American Institute of Certified Public Accountants (AICPA) guidance, when testing a control, auditors cannot rely on inquiry alone. They must conduct inspection, observation, or re-performance in conjunction with any inquiry. However, it’s not uncommon to find reports where an auditor’s testing only includes inquiry. Not only is inquiry a weak form of testing and not in conformity with AICPA guidance, readers can’t and don’t rely on it.

The issuing CPA does not undergo peer review. SOC reports can only be issued by CPAs, and only by CPAs who undergo peer review. If the issuing CPA firm doesn’t undergo peer review, the report is not legitimate. You can check to determine whether a CPA has undergone peer reviews through this link: https://peerreview.aicpa.org/public_file_search.html.

Frankenstein’s monster. Does it appear that sections, paragraphs, and sentences have been cut and pasted to make up the report? Not only does this signal poor quality, it could also mean the auditor is blindly transferring sections from one report to another. Such a practice, at the very least, questions the legitimacy of the report.

Why pay more

Cybersecurity professionals. Your auditor should have professionals with the proper training, experience, and credentials. Look for auditors with the CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), and CISM (Certified Information Security Manager) designations. Sometimes firms will discount their services given the lack of professional resources on staff. Is that a sacrifice you want to make?

Quality control. There are, or should be, back-end processes supporting the audit that might not be apparent because as they are not customer-facing—such as quality control. Quality control means more than correcting grammatical and formatting errors; it should serve to ensure conformity with AICPA standards. Because quality control is not customer-facing, it is an easy corner to cut. But cutting corners often leads to oversights or errors that compromise the legitimacy of the audit.

Assurance. The audit is a mechanism to evaluate and provide information you can use to improve your security controls. A more thorough, professional audit might be a little more expensive, but it could also be the difference between security and experiencing a much costlier security breach.

For more information on SOC audits and reporting, contact HBK Risk Advisory Services at 724-934-5300, or by email at mschiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Doing Business with Microsoft? Privacy Protection is Key

Date September 9, 2019
Authors Matthew Schiavone, CPA, CISSP, CISA

Microsoft executives take security and privacy initiatives seriously. Not just their own, but those of their vendors, as well.

Microsoft is committed to Vendor Risk Management (VRM). Suppliers and business partners are often required to undergo varying levels of attestation to their information security initiatives, including SOC 2 or Microsoft’s Supplier Security and Privacy Assurance (SSPA).

Microsoft has established data protection requirements (DPRs) for suppliers who process Microsoft personal or confidential data. More often than not, suppliers must undergo annual attestation as to their ability to meet the requirements defined in Microsoft’s DPR.

“Process” in Microsoft’s DPR refers to any operation or set of operations performed on any Microsoft personal data or confidential data—and whether or not operations are by automated means. Processes include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or dissemination, and alignment or combination, restriction, and erasure or destruction.

SSPA is a Microsoft program that involves not only making sure that suppliers understand these requirements but ensuring their compliance. The program combines Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to make certain that suppliers follow privacy and security principles when processing Microsoft personal data or Microsoft confidential data. It covers all global suppliers processing Microsoft personal or confidential data.

Suppliers considered high risk are required to provide independent verification of DPR compliance. Such companies are asked to select an independent auditor affiliated with the American Institute of CPAs (AICPA) or the International Association of Privacy Professionals to assess DPR compliance; that auditor is responsible for providing an unqualified letter of attestation to the Microsoft SSPA.

At HBK, our affiliation with the AICPA is merely one aspect of our capabilities. Our auditors have years of experience performing attestation engagements, including extensive SOC 2 work. We have intimate knowledge of security and privacy best practices and hold these critical credentials: Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Most importantly, we are experienced in navigating businesses through Microsoft’s SSPA and compliance with the company’s Data Protection Requirements.

We can help you if Microsoft is on your business horizon and you want to maximize the value of these efforts–or if you’re preparing for a security audit. Call us at 724.934.5300 or email me at MSchiavone@hbkcpa.comand let’s get started.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



HBK CPAs & Consultants Among Fastest-Growing Great Lakes Firms

Date November 5, 2018
Authors Patricia A. Kimerer, PWE & Director of Communications

HBK CPAs & Consultants (HBK) is one of the fastest growing CPA firms in the country according to the 2018 Inside Public Accounting (IPA) magazine poll.

The survey, which calculates firm size based on reported growth in net revenue, ranks HBK as the fourth fastest-growing CPA firm in the Great Lakes region. The region includes firms in Illinois, Indiana, Michigan, Ohio and Wisconsin.

HBK has consistently been listed in the IPA’s “Top 100 CPA Firms” over the past two decades. Additionally, HBK is a perennial “Top 100 Accounting Firm” according to Accounting Today (AT) magazine rankings. In 2014 and 2017, AT also listed HBK as one of the fastest growing firms in the U.S.

HBK CEO and Managing Principal Christopher Allegretti, CPA, credits his team’s efforts to work in collaboration across specialty and industry-specific service lines and throughout widespread geographic regions.

“Our focus is collaboration, working together,” he said. “We tap the depth of our resources to their fullest extent, the collective expertise of hundreds professionals in five states.”

Allegretti added that collaboration contributes to the firm’s strength in developing all-inclusive solutions. “Developing a comprehensive understanding of a client’s financial circumstances as a basis for helping them grow and protect their wealth is a hallmark of our practice and has been a great differentiator for us.”

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Pennsylvania Eases Compliance Requirements for Nonprofits

Date February 7, 2018
Authors Sean Kocan
Categories

For many small to medium-sized nonprofits registered in Pennsylvania, the requirement that a CPA provide assurance on their financial statements has been a substantial expense, money better used for their charitable missions. House Bill 1420 has amended the Solicitation of Funds for Charitable Purposes Act to increase the thresholds used to determine when, and to what extent, CPA assurance is required for the annual financial statements of charitable organizations registered with the State.

The Act continues the requirement for either internally-prepared, compiled, reviewed or audited financial statements. However the contribution ranges for which these various levels of assurance are necessary have been increased, as illustrated in the table below:

Nonprofit Tax Chart

The definition of “gross annual contributions” remains unchanged as “total national contributions from all sources based on the organization’s immediate preceding fiscal year end.”

The new thresholds apply to all charitable registration renewals due February 15, 2018 or later (for March 31, 2017, fiscal year ends or later) and to all new charitable organization registrations filed on or after February 20, 2018. The Act should reduce compliance costs for smaller organizations and more closely aligns Pennsylvania’s requirements with those of the current Federal Uniform Guidance.

If you have questions or would like to discuss the impact of this change on your organization, contact Sean Kocan or your trusted HBK team member.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Auditing the Auditor: Questions to Ask Before and After an Audit

Date June 22, 2017
Authors Sean Kocan
Categories

Managers of small and mid-size businesses and nonprofits often hire external auditors to ensure the integrity of the financial statements they provide to investors, creditors and other outside parties. As management, you are ultimately responsible for your financial reporting, so it is critical to be certain of the quality of the audit process you rely on by evaluating the qualifications and performance of the audit team, the quality and candor of the auditor’s communications, and the auditor’s independence and objectivity.

Not all auditing services are created equal. It might be tempting to engage a low-cost provider, but the adage, “you get what you pay for” applies. An inaccurate or incomplete job could leave you exposed. A quality firm will assure you an accurate, timely, comprehensive report – and can deliver valued-added benefits low-cost providers cannot or do not provide, including communicating opportunities for operational improvement, offering frank and informed responses during face-to-face meetings, and delivering access to sophisticated guidance and specialized services.

Use the following questions to determine the quality of an existing or prospective external auditing firm.

Pre-Engagement:

  • Did the audit team discuss the audit plan and the organization-specific areas of financial reporting risk it would address? Does the audit plan consider your reporting timeline and are you and the auditor in agreement on the applicable significant risk areas?
  • Does the audit team understand your organization’s business, industry and how various economic environments and trends impact your business?
  • Does the firm have the industry expertise and geographical reach to serve your organization? How deep is the firm’s industry talent pool outside of the assigned team?
  • Did the firm demonstrate its independence and describe the safeguards in place to protect its independence?
  • Does the firm have a process for overseeing audit quality, to ensure that standards are met and methodologies are followed? How extensive is the review of the audit file prior to report issuance?
  • What are the results of the firm’s most recent peer review examination? What were the findings and how did they respond? Was the firm’s peer reviewer reputable?
  • What do the audit firm’s references say about the audit team? Exemplified behaviors in the past with similar clients best illustrate the performance you can expect.

Engagement Evaluation:

  • Did the audit meet the perfor­mance criteria as reflected in the engagement letter and audit plan? If the audit plan was not met, did the audit team discuss the reasons with you timely?
  • Did the audit provide details on the quality of your organization’s financial reporting, including whether your estimates and judgments are reasonable?
  • Was the auditor able to compare your accounting policies with industry best practices? Did he or she inform you of any current and upcoming changes to accounting principles and auditing standards?
  • Did the lead auditor maintain open dialogue with management and were communications always comprehensive and understandable?
  • Were sufficient and appropriate resources dedicated to the audit? Did your team consist of experienced auditors and was the partner visible during all stages of the process? Were specialized resources required and employed?
  • Was the cost reasonable for the size, complexity and risks of your organization?
  • Did the auditor ask for feedback on the audit and how did he or she respond to your feedback?
  • If there was a change in your audit team from the prior year, did the lead audit partner explain the transition and were the reasons for the change acceptable? How frequently are you experiencing new faces on your audit team?

The audit process is more art than science. The experience, judgment and even personalities of your auditors determine the quality of the audit you will receive. HBK has created an environment of audit quality through our staffing decisions, audit methodology, technology investments and quality control systems. And we support our clients and prospective clients in the conduct of thorough assessments of our work and our firm so they are comfortable they are getting the value we promise. We encourage all organizations to do the same to ensure the independent auditors they engage are qualified, candid and objective, and their reports will be accurate and comprehensive delivering the value and quality you deserve.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Can Your Not-for-Profit Organization Participate in the Election?

Date August 27, 2016
As the presidential election campaigns continue to heat up, not-for-profit organizations may be tempted to join in the fray.  Although it’s been said that politics and tax exemptions don’t mix, that’s an over-simplification of the restraints imposed on Section 501(c)(3) organizations. Granted, Section 501 not-for-profits can’t engage in political campaigning. Because of the consequences, they must be vigilant. In the worst-case scenario, a misstep could result in losing its tax-exempt status. Nevertheless,   there may be more leeway in the political arena than you think. Ground Rules Essentially, tax-exempt organizations aren’t allowed to directly or indirectly act in federal, state or local campaigns either for or against a candidate or party. Thus, you cannot support or oppose  candidates for offices such as:
  • President,
  • Senator or member of congress,
  • Governor,
  • Mayor,
  • Member of a school board,
  • City supervisor, or
  • County trustee.
The IRS will base its determinations of violations on an organization’s other activities and its current situation. For instance, if your nonprofit invites a candidate to make a campaign speech at a fundraising event for your charity, or you feature an elected official stumping for a candidate, your organization has clearly violated the prohibition. Similarly, posting messages on your website supporting or opposing  a  candidate isn’t allowed. However, some advocacy and lobbying may be allowed. What Your Organization Can Do Here are a few examples of what your nonprofit is allowed to do:
  1. Sponsor an appearance by a candidate or public official. If the person is being invited as a candidate, don’t indicate any support or opposition and give other candidates the opportunity to appear. If it’s in some other capacity, such as being involved in your charitable mission, be sure the appearance doesn’t turn into a campaign stop or fundraiser for that person.
  2. Hold a debate between candidates. You must invite all of the candidates, have an independent panel prepare the questions, cover a broad range of topics (including those significant for your organization) and provide every candidate with an equal opportunity to speak. An impartial moderator should state that the views expressed within the debate don’t represent those of your organization.
  3. Advocate a political issue without attempting to intervene in a campaign. You can go so far as to try to sway the candidates to your way of thinking and encourage them to take a public stand.
  4. Help to build planks within a party’s platform. This may be accomplished by delivering testimony to the party’s platform committee — as long as you clarify that the testimony is strictly educational and report the testimony in your organization’s newsletter or other publication.
  5. Launch a nonpartisan “get out the vote” drive. The drive must be designed solely to educate the public about voting and can’t promote or oppose a candidate or party.
What Your Organization Can’t Do Now here are some things you aren’t allowed to do:
  1. Support a candidate or party for election. For instance, you can’t get behind or oppose a declared candidate or third-party movement, engage in efforts to draft someone to run for office, or do advance exploratory work for electing a candidate or party.
  2. Contribute to a campaign or endorse a candidate. This includes indirect support, such as volunteering to make calls on behalf of a candidate as well as direct financial support. Not-for-profit workers can, however, contribute their own time and money away from work.
  3. Provide any form of monetary support. Not only are organizations barred from donating funds to a candidate or party, they can’t use another event to raise funds. In the same vein, your group cannot hold a dinner or other event to sponsor a candidate or political organization. Section 501(c)(3) not-for-profits are also barred from making loans for these purposes.
  4. Request support for your organization or charitable mission from a candidate, political party or other political organization in exchange for your endorsement.
  5. Distribute any materials encouraging recipients to vote one way or another. This includes any website communications.
If the IRS suspects that your organization has violated the rules, it may notify you by letter and then – conduct an on-site investigation. Offenses are punishable by revocation of tax-exempt status, but first-time offenders may get away with a slap on the wrist. For example, you might agree to change  procedures and stipulate that the violation won’t occur again. If your nonprofit spent funds on the banned activity, however, the IRS may impose excise taxes.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.