The Rise and Fall of SOC 2 audits

The History of SOC

SOC 2 was first launched in 2010 by the American Institute of Certified Public Accountants (AICPA) in response to a requirement to make their SSAE16 audit criteria more tech-friendly. The AICPA is the national professional organization of Certified Public Accountants (CPAs) in the United States, with more than 428,000 members in 130 countries. It has been responsible for setting the standards for financial audits ever since SAS 1 in the 1970s, and standards for information security audits since the 1990s with the introduction of the SAS 70. The introduction of Sarbanes Oxley in 2002 included a clause requiring public companies to assess the effectiveness of internal controls for financial reporting which brought the AICPA and SAS standards into focus for most companies looking to go public as part of their roadmap. 

People may ask what a financial audit has to do with security? The answer stems from the need for organizations to understand financial risk. As more tech organizations, such as cloud providers, became increasingly reliant on expensive infrastructure, the AICPA developed controls in their original SAS 70 framework to ensure the value of assets was not compromised. Organizations that own infrastructure worth millions of dollars could have significant financial exposure should those assets be impaired. The AICPA implemented requirements around the protection of those assets, such as protection against flood, storm, fire, and other environmental factors. Organizations looking to demonstrate effective security controls started to adopt these measures and use them as a substitute for security controls. Noticing this opportunity, AICPA enhanced the SAS 70 framework evolving it into SSAE 16 and subsequently the current SOC 2. Its popularity continued to grow into the current format of SOC 2 that we know today. 

Image: SOC reports focus on controls addressed by five semi-overlapping categories 

called Trust Service Criteria.

SOC 2 key weaknesses

Since 2016, we have seen SOC 2 rise from being a fringe financial control to now the most common security framework in the US. Some of the key strengths of SOC 2 are also its key weaknesses. Other security frameworks, such as HITRUST, are prescriptive in nature, however, SOC 2 allows for significant flexibility in the definition of scope and in the drafting of the management assertion. At a high level, a SOC 2 audit checks to see whether an organization exercises the controls they say they have in place. While a SOC 2 Type I predominantly assures that an organization has these controls documented, a SOC 2 Type II looks for evidence that the controls are actually in operation by reviewing evidence over a predetermined control period. 

It is this flexibility that has allowed SOC 2 to grow in popularity amongst smaller and less established tech companies. While this level of attainability helps to ensure organizations are indeed investing time in developing a basic security program, the ability to manipulate the scope has led to significant abuse of this audit. This ability to manipulate the scope means that it is difficult to compare one SOC 2 with another and also allows organizations to avoid auditing areas that are perhaps their weakest link. There is also increased pressure from the market to simplify the audit process to keep costs low which can adversely affect the quality of the audit as it was originally intended. This is particularly troubling since part of the reason for the popularity of the SOC 2 is the reputation of the AICPA and its close association with high integrity financial audits. 

Is the popularity of SOC 2 affecting the quality of audits?

The AICPA publishes a code of ethics and presents itself as maintaining the highest ethical standards. However, as SOC 2 has grown in popularity, we have also seen an explosion in the number of CPAs becoming accredited to perform a SOC 2 audit. There has also been a significant increase in the number of security consultants and platforms claiming to support the SOC 2 process. Inevitably, this has led to a continued dilution of the SOC 2 audit, as pricing pressure is forcing many CPA/auditor organizations to sacrifice quality for quantity. 

Can a SOC 2 be completed in 2 weeks?

As the old saying goes, if it seems too good to be true, it probably is too good to be true. When we see organizations promoting 2-week SOC 2 audits and platforms claiming full automation of the SOC 2 process it gives me cause for concern. Typically it requires an audit firm a minimum of 400 hours to conduct a full and robust assessment, however, these are now being performed in less than 100 hours by some organizations. One would expect that this would be of significant concern to the AICPA as the quality of the review is bound to be affected.  

Auditor peer reviews - creating a possible conflict?

Of particular concern in maintaining the quality of SOC 2 audits is the auditor peer-review process. A key element of the AICPA code of conduct is the peer-review process. This process is designed to ensure that an auditor is subject to review at any time by a peer AICPA organization. The purpose of this review is to ensure that auditors maintain quality standards in their audit reviews.  However, the way this peer review process is implemented seems flawed.  An audit firm can self-select the peer that will conduct the peer review and is even responsible for paying the fee for the peer-review process. We believe this system is seriously flawed and can lead to a conflict of interest, where a reviewing audit firm’s independence from the process is not maintained.

The future of SOC 2 - cheaper is not always better

The popularity of SOC audits has led to an increase in membership for AICPA. However, more CPAs are not always leading to more quality audits being performed. There is a growing concern in the industry that not all SOC 2 audits are equal. This completely defeats the purpose of having an independent security audit. If we can’t trust the integrity of the SOC 2 audit, what is the alternative? If organizations can buy cheap SOC audits that are nothing more than a checkmark, completed in 2 weeks with a very high-level review, how do we know that they are legitimately building an effective security program and, as customers, how can we trust them with our company data?

Invest in a SOC 2 audit the right way

At Ostendio we are committed to ensuring that all of our customers build and operate an effective security program regardless of any compliance obligations. We work with authorized auditors that understand the complexity of SOC audits and the quality of work that is required to do an audit the right way. We understand that preparing for and passing a SOC 2 audit can be a significant investment of both time and money for our customers. 

Ostendio recently announced the Audit Guarantee program where we guarantee customers will pass their security audit the first time.  We do that, not by lowering the bar, but by working with our customers to ensure they are clearly operating against all required criteria and our MyVCM platform is able to track and manage all evidence in a way that any reputable/credible security auditor can conduct an independent and robust security audit, knowing that the organization is meeting every control. While this means an increase in effort for both the organization and the auditor the net result is a better outcome. When it comes to security would you want to work with a company that did it the cheap way, by cutting corners and automating controls, or would you prefer working with a company that has done the SOC 2 the right way with time invested in processes and security controls. 

Ostendio has security experts who are ready to speak to you about doing a SOC 2 audit the right way.  Schedule some time to speak to an expert about your data security needs.