Not all SOC providers are the same and a one size fits all approach could mean disaster. What questions should you ask? Sabrina Serafin and Shelby Nelson, SOC lecturer and Partner with Frazier & Deeter, dive into that topic in this episode.
To learn more about SOC, listen to our previous podcast: SOC Reports – Advantages & What to Expect
Culture of Compliance was recently named #1 in “Top 25 Regulatory Compliance Podcasts You Must Follow in 2020” by Feedspot.
Culture of Compliance: Choosing a SOC Provider
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance Practice.
Today, we’re talking to Shelby Nelson, a Partner with our firm, who is a subject matter expert in system organization controls, or what we refer to as SOC Readiness, Examinations and Reporting. Shelby holds a CISA that is also credentialed with the CISSP, the CDPSE, Cyber SOC, and Advanced SOC designations.
She is a frequent speaker nationally regarding SOC examinations, and she is the 2020 AICPA SOC’s school curriculum author as well as instructor. She also is an AICPA SOC peer review specialist. There’s few others who I think can talk about this subject more than Shelby. Shelby, welcome to the podcast.
Shelby Nelson Thank you, Sabrina.
Sabrina We asked Shelby to join us today to talk specifically about system and organization controls reporting, better known as SOC reports, which we will refer to going forward. Shelby, can you start us off by defining what a SOC report is and why an organization would need to obtain a SOC report?
Shelby Happy to, Sabrina. In one of our earlier podcasts, we went through in great detail defining the differences between the various SOC reports, so please be sure to visit frazierdeeter.com to find those podcasts. Just in a quick summary, though, the most common is the SOC 1 and SOC 2. A SOC 1 is an examination over a service organization’s controls as they impact the ICFR of their customers or their internal controls over financial reporting of their user entities.
Think of it as a SOC 1 is financial reporting. SOC 2, on the other hand, is vastly different. It is primarily an IT focused exam and it can cover five of the AICPA trust service categories which are security; which is the required trust service category. Availability, confidentiality, processing integrity and privacy. In summary, SOC 1, internal controls over financial reporting; SOC 2, primarily an IT focus.
You also asked me, Sabrina, why an organization would want to obtain a SOC report, there’s lots of reasons an organization would seek undergoing a SOC examination with the intent of obtaining the report itself. A lot of our clients come to us and say, “Hey, we’ve got a potential client that is requiring this examination before they will engage our services. Can you help us?”. Another reason is just to be a differentiator in any industry, to set yourself apart from your peers or competitors, to show transparency to your user entities about your control environment. So, there’s lots of reasons an entity would want a SOC report.
Sabrina So, what you’re saying is some of them are voluntary and some are involuntary?
Shelby That’s right. SOC examinations themselves are voluntary, there is no industry requirement to undergo a SOC examination, whereas if you’re a public entity, then you must have Sarbanes-Oxley in place. A SOC exam is a little different. It’s an elective process unless, of course, you have a user entity that’s requiring you to have one through a contractual obligation.
Sabrina So, if a company is considering or required to undergo a SOC examination, how do they understand their organization’s level of readiness? What advice do you have for finding an advisor to even assess the readiness to begin an examination?
Shelby That’s a good question. If a company is considering undergoing a SOC exam, how do they evaluate their own level of readiness? The first thing they should do is make sure that they understand which SOC exam is the most applicable for their environment or for their organization. After they’ve made that determination, then the second is to get an understanding of what criteria would be required to go through an actual examination.
Most of our clients come to us looking for that education and clarification, and to have some assistance to evaluate which is the most appropriate in the SOC suite of services, which one is the most appropriate exam for their needs, and how they determine their level of readiness. So, to be ready to go through readiness, that sounds kind of funny, but that’s essentially what it is. If a user organization is control mature.
In other words, are your policies and procedures well documented and in place? Do you have very well-defined organizational charts, job positions? Those are some baseline questions that you can ask yourself to determine if you’re even ready to undergo a readiness. So, we differentiated between readiness and exam, do you feel like we get asked more for readiness exercises or examinations?
Sabrina Absolutely readiness. We found in the industry that more organizations are requiring due diligence around vendor management, so we’ve seen a large uptick of requests for SOC 2 based on the high number of breaches that we’re seeing as a result of vendor relationships or insecure connections or controls that are not operating effectively.
So, the majority of organizations that are reaching out are first trying to understand what a SOC examination is and then are looking to understand what they need to do behind the scenes to be able to successfully complete one.
Shelby That’s right, and what’s that lift look like, to put it in layman’s terms, how much of an effort does it require on their behalf to even begin the examination process? Lots of questions that we get at the beginning of a readiness engagement.
Sabrina That’s right, there’s a lot that a service auditor can do, but there’s a lot that they can’t do. What they certainly can’t do is implement, or they cannot operate, controls within an organization. A service auditor can certainly make recommendations and most specifically align those recommendations for the complexity of the environment and the criteria of either the control objective for a SOC 1 or the trust principle criteria for SOC 2.
Shelby Good point, Sabrina. As a service organization is evaluating potential service auditors, they should be abundantly aware of the level of independence that any service auditor must maintain in a readiness and especially in an examination engagement.
You mentioned that the service auditors should not perform any of the controls or create the controls that the service organization should have in place. Be aware if you have a service auditor that says, “Yes, we can do that for you,” be cautious that they must maintain their independence based on AICPA attestations standards.
Sabrina So, understanding that a service auditor can support you through the readiness process, what are the qualifications when selecting an advisor to help with readiness and the eventual examination?
Shelby I love this question, as a service organization is evaluating a potential service auditor, number one thing to note is not all providers are alike. The service auditors should certainly have the right credentials, both as a part of their firm and individually, so thank you for introducing me Sabrina and listing off all of my letters that follow my name. Those are the professional designations, a few that a service auditor who’s performing SOC engagements should have to be able to support a service organization appropriately.
I’d also caution consumers to be wary of a firm that indicates a very short timeline or an engagement fee that just seems too good to be true. There are times when we are one of several service auditors that are being evaluated for service organization and I’ll get the question, “Shelby, this firm over here says they can do it in three weeks and for half of what you’re offering, what do you think about that?” and my response is you get what you pay for.
A SOC examination is a lengthy process, a service auditor who is very experienced in SOC examinations should be able to help a service organization really understand what the whole process entails and why there is a length of time that’s involved in the process overall. So, just be cautious if a service auditor seems to commit to something that may be too good to be true.
Sabrina Shelby, you make an interesting point, but I think we should clarify why lower fees would be something that someone would raise an eyebrow to.
Shelby As a SOC peer review specialist, I have the opportunity to evaluate SOC examinations that have been performed by all kinds and sizes of firms. In my experience, I have come across some examinations where a firm may use a one size fits all approach, no matter the size of your organization, no matter the complexity of your IT environment or the level of internal controls over financial reporting that you should have in place that impact your user entities.
So, make sure that you understand and agree upon clear engagement scope, objectives, how the service auditor will approach the examination, the timeline, the engagement team, all of those factors should be abundantly clear. The level of customization that they are committing to as part of the examination is also key.
Sabrina Shelby, one of the important questions will be for a quote that seems unreasonably low, what might I expect on the back end? Because in our experience, we see with these lower fees, very often you’re having to either overload your internal resources for what you may have expected your auditor to be managing or at the same time, you could be hit with additional fees based on the fact that that scope was not defined on the front end. And once you’re in the process, it’s a little bit too late. What are some other questions, Shelby, that you would suggest our listeners ask a potential service auditor before they hire them to perform either readiness or a SOC examination?
Shelby There is an abundance of questions, but I will try to summarize what I think are the top 10 questions that I am typically asked as part of a potential client asking me these questions as a potential service auditor for a SOC examination. The first question, and they can do this on their own, is to determine that the CPA firm that you are speaking with is a CPA firm in good standing.
Sabrina How would they be able to do that on their own?
Shelby Oh, it’s really easy. All you have to do is go to the AICPA website and you can find the firm resources section where you can determine if a CPA firm is accredited and in good standing. The second thing, which is a great question to ask right at the onset, is what’s the average number of SOC reports that your organization issues on an annual basis? If you get the response, “Well, we just started” or “Last year we issued less than 10”, that should raise an eyebrow.
Sabrina What does that tell you?
Shelby That can tell you that a CPA firm might just be starting to build a SOC practice and may not have the understanding and years of experience that it takes to complete an examination effectively and efficiently. It can tell you that they don’t have the number of people within the firm that have the right experience or credentials to be able to execute a SOC report, or they may not have the tools in place to facilitate the examination and the audit burden.
Another question to ask is if a CPA firm has been through a peer review for SOC. In auditor’s terms, if a CPA firm issues at least one SOC exam, it’s considered a “must select”. When a CPA firm goes through a peer review, that examination is subject to review. If they’ve been through peer review, you can ask what the result of that review was as it pertains to the SOC report. If they’ve gotten a lot of negative feedback or corrective information, that might be something to be cautious of as well.
Sabrina We are seeing an uptick of organizations that are requiring a peer and AICPA peer reviewed firm to perform their examination. That tends to come with some of the large organizations or public companies, so that is an important question to ask and a piece of information to know. Good point, Shelby, these are great, what else?
Shelby Another great question is to ask the potential service auditor, have they completed AICPA SOC training and have the team members that will be working on the engagement completed that training as well? Number five, what is the experience of the engagement team members that will be working on my SOC engagement? If you’re speaking with a partner or a principal within a CPA firm about a SOC examination and they can’t tell you the actual individuals that are going to be on the engagement, themselves or their professional designations and level of experience, that should be concerning to you as well.
The last thing you want is to sign an engagement letter with a firm and then the next thing you know, you’ve got some very junior associates in your organization asking all these questions and have no idea what they’re doing and they can’t support your SOC examination effectively and efficiently. I know I keep saying those two words, but the SOC examination process and the readiness process, there’s so many moving parts and components, it is so important to work with a firm who has experience and tenure and expertise to help make this process as smooth as possible.
Sabrina Shelby, one thing that we know about SOC examinations is they can be very disruptive to an organization because of the number of parties involved, the amount of evidence and documentation that has to be presented. You mentioned efficiency, what kind of questions can an organization ask to determine whether a firm is going to be disruptive or not?
Shelby You can ask a potential service auditor or their firm what tools they have in place to minimize the burden of the examination or the readiness. So, for example, Frazier & Deeter has a proprietary reporting tool that’s been built by and for FD to help facilitate the reporting process and the speed of time from the end of an examination to actually generating the report. We also use a third-party online collaboration tool to facilitate the way we exchange information and documentation. It’s extremely beneficial and creates so much efficiencies into all of our examinations and readiness engagements.
Sabrina Thank you. I do get asked a lot about system descriptions.
Shelby Yes, system descriptions. In every SOC report, there is a section that is called the system description or the description of the system. This is a very hefty portion of the report, it is the novella that explains a service organization’s control structure, information technology, general computer controls; if it’s a SOC 1, the control objectives and the controls that are in place to support those control objectives. It’s a lot.
The question that we get from service organizations is, “How much can we count on you to help us with the system description?” ultimately some description is owned and to be created by the service organization. Obviously, we can’t expect every service organization to know what goes into a system description, but what is important to understand is the level of support and guidance that your service auditor will provide in making sure that it’s accurate and complete.
Sabrina That’s a great observation, you mentioned earlier the difference between a SOC 1 and a SOC 2, I’d add that the system description for both examinations is meant to be an auditor to auditor communication, and the AICPA requires a certain format and auditors require a certain amount of information. When we talk about the SOC 2, the audience for a SOC 2 expands beyond auditors.
A SOC 2 is used by anyone within an organization that has a requirement to understand the control environment at the third party. So, this system description really does two functions. One is communicating to any auditors, but also, you’ve got technical individuals, compliance individuals, procurement individuals who will be using this material. It has to be written in a way that makes sense to them and makes the organization more appealing. Wouldn’t you agree?
Shelby Absolutely, Sabrina. That brings up another point when we talk about system description, is the SOC 3, which is speaking about system descriptions and the differences between a SOC 1 and SOC 2 and why they’re important as auditor to auditor communication. In a SOC 3, that information is meant to be for general use and is publicly available. So, you can literally publish your SOC 3 exam or your SOC 3 report on your entity’s website. You want to work with a service auditor who has the experience and knowledge to be able to support you in that documentation since it is publicly facing.
Sabrina That’s correct.
Shelby Another question I get asked, not as common of a question as some of the others that we’ve talked about, Sabrina, is “Does your firm have experience or capability to issue reports under both AICPA attestation standards and international standards on assurance or ISAEs?”
Sabrina What does that mean?
Shelby The AICPA allows SOC reports to be published under both standards, that’s really important for a service organization that has a presence in countries outside the United States. For an organization to consume or rely on a SOC report outside of the United States when it’s published under both standards, it allows auditors that are familiar with ISAEs’ to rely on that information that’s published predominantly under AICPA standards. So, it makes it a. international report instead of just a US based report.
Sabrina So, it allows us to evaluate international organizations or entities the same way you would want in the United States?
Shelby That’s correct. A SOC report can be issued under AICPA standards or both AICPA and ISAEs, it cannot be issued under ISAEs alone.
Sabrina What about auditing in a virtual environment?
Shelby Well, certainly we’ve seen the importance of that in 2020 and beyond the days of service auditors going and camping out in conference rooms and spending time with clients to do person to person walk throughs and observations is a thing of the past. We have at Frazier & Deeter move to 100% virtual environment, and we have created processes and ideas and solutions to be able to support our clients all over the world in 100% virtual environment. Our limited ability to have a physical on presence does not stop us from being able to support a SOC engagement.
Sabrina Would it be fair to say that the AICPA has provided guidance around auditing in a virtual environment?
Shelby They have, I contributed to some information on SOC reporting to the AICPA in the COVID environment, there is special COVID guidance on the AICPA website and on the frazierdeeter.com website of reporting attestation engagements in a COVID environment. Be sure to check those out.
Sabrina Shelby, I’ve heard nine questions, let’s ask the last one. What about SOC 2+? Let’s talk about that.
Shelby That’s a great question, and one that’s becoming a more popular one given the length of time that SOC exams have been in the marketplace. SOC 2+ is a SOC examination that takes the AICPA trust service categories and includes an additional framework such as PCI, DSS, HITRUST, HIPAA, ISO, etc. We talked earlier about why a service organization would want a SOC exam, it could be a client requirement or a potential client requirement, and that client is saying, “In addition to SOC 2, we need you to indicate your HITRUST compliance or your HIPAA compliance, perhaps maybe even your GDPR compliance”.
At Frazier & Deeter, we have dedicated service lines to provide attestations services in most of those frameworks that I just mentioned, which also allows us to easily add in or overlay, if you will, those frameworks with the SOC to AICPA trust service categories. We have those mappings in place ready to go so we can provide a solution to your service organization, no matter what framework or attestations standard you’re looking to achieve.
Sabrina Thank you, Shelby. As we wrap up, do you have other advice for organizations who are trying to decide if they are ready to engage a service auditor?
Shelby One way a service organization can look to find service, all this is obviously online, we all default to search engines online and we Google “SOC”. That’s certainly one way, maybe not the best, but another way is to ask some of your business partners. It’s likely that they themselves have gone through this evaluation process or perhaps our existing SOC reporters and can add some value or some guidance as to how they went through the process themselves.
We’re always happy at Frazier & Deeter to answer any and all questions regarding SOC, even if you want just some internal training as to what this is, how to evaluate a SOC exam that you’ve received or a SOC report that you’ve received and want some more clarification on that itself. There’s not one answer as to the way as a service organization should go about finding a service auditor. But when you do, hopefully the information we’ve provided you here today can help you ask some really good probing questions to evaluate any service auditor as you go through the SOC examination process.
Sabrina Great advice, Shelby, thank you again for being with us today.
Shelby Thank you, Sabrina.
Sabrina To our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.