Risks Open New Opportunities for CPAs Through SOC Examinations

by Al Tanju, Windham Brannon Risk Assurance Senior Manager as written for the Georgia Society of CPAs January/February 2020 issue.

CPA firms have long been a source of credibility and trust for their clients, investors, and creditors. Most CPAs think of themselves as trusted business advisors providing traditional tax, accounting, and audit services. But our clients need guidance in more than the usual services. The rapid emergence of new technology and the ability to outsource any core business function imaginable to third parties expose businesses to cybersecurity and compliance risks that did not exist ten years ago. CPA firms are uniquely positioned to help companies face these evolving cybersecurity and compliance challenges through SOC examinations.

What are SOC Examinations?

SOC examinations are performed under the AICPA attestation standards that allow CPAs to render an opinion on the design and operational effectiveness of internal controls and the presentation of management’s description of the examined system. These examinations measure against myriad risks – both financial and non-financial – and can provide a reasonable assurance opinion over one of the more common and growing risks that companies face – such as security or privacy.

There are various types of SOC examinations that address different business needs:

  • a detailed description of the service organization’s system used to provide services that impact financial reporting and the related internal controls over financial reporting, the service auditor’s opinion on the fairness of the description, suitability of design, and the operating effectiveness of controls for the reporting period.
  • SOC 2 reports are designed to provide a CPA’s opinion about controls at the service organization relevant to the security, availability, or processing integrity of a service organization’s system and/or the confidentiality or privacy of the information processed by that system.
  • SOC 3 reports cover the same scope as a SOC 2 report but are a general use report designed to provide an overview of the operational controls pertaining to the suitability of design and operating effectiveness of controls intended to meet the selected Trust Services Principles and Criteria. A SOC 3 report can be used for marketing purposes,
    and a common practice is to post the report itself on the company website.
  • SOC for Cybersecurity reports are designed to help organizations communicate information about the effectiveness of their cybersecurity risk management program and controls.
  • SOC for Vendor Supply Chains reports (coming soon) will provide customers of manufacturing and distribution companies an understanding of the cybersecurity risks in their supply chain.

SOC Report Benefits for Clients

While audits and examinations are typically viewed as a cost of doing business, SOC examinations can also provide an excellent opportunity for clients to understand how their business processes are performing. This understanding can ensure they are delivering the agreed-upon level of service to their customers. SOC examinations also provide an opportunity for learning industry best practices and continuous improvement in both business and compliance processes. SOC examinations allow clients to establish and maintain credibility and trust with their customers, business partners and prospective customers. When potential customers ask, “how do you maintain the security, confidentiality, integrity, and privacy of our data,” clients can provide a SOC examination to explain how they do that backed by the opinion of a trusted CPA firm.

SOC Examination Benefits from a Practitioner’s Perspective

SOC examinations have allowed my firm to expand both our assurance and advisory lines of service. Our clients need help understanding and interpreting internal control frameworks and integrating compliance into their everyday business processes. When approached to perform a SOC examination, we provide advisory services in the form of a  “SOC readiness assessment.” We collaborate with them to initially conduct a risk assessment using a selected internal control framework, followed by a gap analysis to determine if internal controls adequately address the identified risk(s). Once gaps are identified, we are able to assist management to develop remediation plans to address internal control gaps. After management has remediated the identified gaps, we are usually engaged to perform annual SOC examinations to evaluate the design and operating effectiveness of their control environment.

Providing SOC examinations has allowed us to diversify our firm’s expertise and capabilities by hiring well-rounded and specialized professionals with skills in operational business processes, accounting systems, management information systems, information technology and information security. Our firm’s leadership has been forward-thinking for many years to commit to and invest in our SOC practice, namely to service our more sophisticated accounting and audit clients with evolving technology platforms and systems. The professionals who provide SOC examination services require a skill-set outside of typical accounting and finance degrees. Our professionals have degrees in accounting, cybersecurity, management information systems, and even mathematics,  to name a few. We look for professionals that are excellent communicators with both technical and non-technical audiences and have certifications such as a CPA, CIA, CISA or CISSP. These certifications are similar to the CPA in that they require CPE with courses specific to the respective professional designations.

Today’s regulatory environment has placed cybersecurity and compliance at the forefront of business challenges. CPA firms are positioned to enter the cybersecurity space by hiring technical talent and providing SOC examination to help companies establish trust with their customers. Through further diversifying assurance and advisory services, CPA firms can expand their relationship with their clients and perhaps broaden their marketing reach by helping prospective clients with their evolving business and compliance challenges.

This article originally appeared in the published in the Georgia Society of CPAs January/February 2020 issue.