Unfortunately, not all SOC reports or SOC audit firms are created equal. Here are some tips to ensure that your SOC report and the firm performing your SOC examination is up to par.
Confirm your firm is licensed – One day we received a call from one of our clients telling us that our fees were too high for their SOC 1 (formerly SSAE 16) audit since they had received an email offer from a firm offering to perform a SOC 1 examination for $5,000. This was before the firm proposing the offer even discussed the scope of the examination or had an understanding of our client’s control environment. These type of “Craigslist” style firms exist and many are unlicensed. Be sure to confirm that the firm performing your SOC examination is licensed by your firm’s State Board of Accountancy. Also, beware of having one company perform your audit only to be rubber-stamped by a CPA firm. In fact, it would violate the first and second standard of the American Institute of Certified Public Accountants (AICPA) first and second standards of fieldwork, which are: 1) “Auditor must adequately plan the work…” and 2) “Auditor must obtain a sufficient understanding of the entity and its environment, including its internal control…” You can confirm a firm is licensed by contacting the state board of accountancy in the state the firm is licensed in. See the contact info for each state here. You can also use the NASBA CPA verify site.
Who audits the auditor? – Ask whether your firm has been independently reviewed. Firms should go through a peer or Public Accounting Oversight Board (PCAOB) review to confirm the quality of their audit work papers and reports. Some states don’t require peer reviews and some firms don’t go through peer reviews. Would you want your company independently reviewed by an auditor who doesn’t have their work independently reviewed?
Controls do not provide reasonable assurance – For a SOC 1 report, there are a number of control objective statements that must be met for the report to have a clean / unqualified opinion. Read these statements carefully and confirm that the controls tested for each control objective allow the control objective statement to be made. For example, a typical logical access control objective might state, “Controls provide reasonable assurance that logical access to systems and data are restricted to authorized individuals only.” The controls that are documented in the results of testing section of the SOC 1 report must adequately support that statement. I’ve seen some reports where three or four non-key logical access controls are tested that are supposed to support the statement that controls provide reasonable assurance when they actually do not allow the control objective statement to be made.
Type II report with samples of one – A Type II report is supposed to cover an audit period of at least six months. As a result, for manual controls, test procedures documented in the results of testing section of the report should test samples of controls performing over a period of time. I’ve seen clever wording of test procedures within a Type II report saying, “Inspected a sample logical access approval, noting that access was approved by a supervisor.” If you read the statement carefully, the auditor is only saying they looked at one approval. What about the other approvals? There is AICPA minimum sampling guidance that dictates how many samples need to be looked at for a manual control. The sample sizes are determined based on the frequency of occurrences of the control activity within a year. Unless the control tested was an annual, quarterly, or automated control, a sample of one is not enough to confirm the control was operating effectively throughout the examination period.
If it sounds too good to be true, it probably is – It takes time for a firm to complete a quality SOC audit. Beware of firms offering to complete an audit remotely in a few days without a thorough understanding of the control environment. Also, beware of firms offering to complete the audit for incredibly modest fees. A simple calculation can be made by dividing the total engagement fees by the expected number of hours to complete the audit. How many hours do you think two college educated auditors will spend on an audit with fees of $5,000? It’s not worth losing one of your best clients to save a few dollars on a sub-par SOC report. Don’t wait for your clients’ auditors to bring a poor SOC report to your attention.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.