Over the last several years there has been a growth in the offering of SOC 2 software tools or, also thought of as SOC 2 compliance monitoring tools (of which these terms will be used interchangeably throughout this article). These tools provide functionality and support designed to help a service organization attain SOC 2 compliance. Examples of several tools on the market and that I have used are Tugboat Logic, Vanta, and Drata. Functionality continues to expand and improve to the point where the question arises if these SOC 2 software tools provide all of the necessary information for a service auditor to perform their duties without having to perform additional procedures outside of utilizing the SOC 2 software tool.
What Functionality Do SOC 2 Compliance Software Tools Provide?
Functionality varies by tool; but, there are similarities that may be found between the tools. Examples of functionality include (not all-inclusive):
- Knowledge bank of policies that the service organizations can pull from and modify to fit their environment.
- Forms to be used in daily processes such as onboarding and offboarding of personnel.
- Training modules.
- Tracking and management of individuals’ workstations for areas such as antivirus and patching of operating systems.
- Tracking of user access to systems that are linked to the SOC 2 compliance monitoring tool such as Azure, Active Directory, Office 365, etc.
- Monitoring of infrastructure and reporting of alerts and thresholds that are met or exceeded.
- Compliance monitoring and reporting of configurations the service organization has enabled within the SOC 2 compliance software tool.
- Risk assessment and risk management modules.
What Type of Reliance Can Be Placed on SOC 2 Compliance Software Tools?
The key to relying on such a tool is that it must be properly designed, configured, implemented, and managed. Complete and accurate information must be collected and reported by the tool for any type of reliance to be able to be placed on such information and the functionality of the tool.
The SOC 2 software tool may be linked to the service organization’s environment and provides reporting and monitoring of the entity’s activity. Given this, the provider of the SOC2 software tool may be considered a subservice organization as it is providing vital internal operations to the service organization that may aid in the service organization attaining SOC 2 compliance. If you take this concept into consideration, the SOC 2 software tool provider may be a candidate for a SOC 2 report themselves. The entities subscribing to the SOC 2 software tool may have concerns over the AICPA trust services criteria: security, availability, confidentiality, processing integrity, and privacy.
How Does the Use of a SOC 2 Compliance Software Tool Impact the SOC Audit Process?
The use of a SOC 2 software tool can aid in the efficiency of the SOC audit process. The service auditor will obtain access to the tool, as granted by the service organization, and can perform much of the work relating to an audit of the information within the tool unaided. This allows for less of an impact in terms of time and resources needed by the service organization during the audit process.
In addition, the SOC 2 software tools may be configured by the service organization to systematically collect evidence. Thus, the service organization does not have to manually collect and provide requested evidence to the service auditor. The service auditor can collect the evidence directly from the tool.
The Relationship between Reliance on Compliance Tools, Proper Test Performance, & Obtaining Assurance
What is the relationship between reliance on information provided by the compliance software tool, performing the proper level of testing, and obtaining the proper level of assurance as required by the AICPA? The AICPA published a frequently asked questions (FAQ) document as of June 30, 2021, entitled “Effect of the use of software tools on SOC 2 examinations.” For those that are members of the AICPA, the document can be found on the AICPA website. This document addresses various questions service organizations and service auditors may have when performing a SOC 2 audit where the service organization uses a SOC 2 software tool to aid in achieving compliance for criteria covered in a SOC 2 examination. Areas of coverage include:
- Risks related to the usage of the tool.
- Service auditors’ compliance with the relevant professional standards.
- Independence considerations.
- Business relationships with the SOC 2 software tool provider and compliance with AICPA professional and ethical responsibilities.
What are Potential Risks When Using SOC 2 Software Tools?
There are several risks that the auditor must consider with the usage of such a tool and when planning the SOC 2 audit. Examples of these risks include:
- Coverage of the service organization’s operations by the tool.
- Reliability of the information captured in the SOC 2 software tool. If the configuration is not correct, the data collected will not be correct.
- Consistent capturing of information by the SOC 2 software tool.
- Undue reliance the service organization may place on the SOC 2 software tool.
- The SOC 2 software tool may have operating gaps where controls are not being tracked or monitored.
An overarching concern is that the service auditor should not place undue reliance on the tool.
What Procedures Should Be Implemented in Conjunction with SOC 2 Software Tools?
Overall, the service auditor cannot only rely on and only use the information captured and tracked by a SOC 2 compliance software tool when performing a SOC 2 audit. In order to gain the appropriate level of comfort and reliance on the processes, data, and audit procedures performed and to be in compliance with auditing standards, the service auditor must perform procedures outside of review of the tool. These procedures include:
- Inspection of evidence presented within the SOC 2 software tool, as well as evidence for processes and controls not covered by the SOC 2 software tool.
- Inquiry into the operations of processes and controls covered by the audit procedures to confirm what has been designed and placed into operation.
- Observation of service organization personnel performing certain controls.
- Validation of a sample of results reported by the SOC 2 compliance software tool to determine that the tool is completely and correctly providing information collected from the systems and processes it is monitoring.
Does SOC 2 Compliance Software Affect an Individual Auditor’s Responsibilities?
In obtaining an understanding of the service organization’s system and system controls described in the description of the system, the service auditor is required to obtain an understanding of the processes and controls performed by a SOC 2software tool. The overriding theme is that a service organization’s use of a SOC 2 software tool does not change the service auditor’s responsibilities to comply with relevant professional standards and responsibilities.
As stated by the AICPA Code of Professional Conduct Section 1.300.001 General Standards Rule:
- “ .01 A member shall comply with the following standards and with any interpretations thereof by bodies designated by Council.
- a. Professional Competence. Undertake only those professional services that the member or the member’s firm can reasonably expect to be completed with professional competence.
- b. Due Professional Care. Exercise due professional care in the performance of professional services.
- c. Planning and Supervision. Adequately plan and supervise the performance of professional services.
- d. Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.” [LC1]
Finally, The service auditor is responsible for complying with the relevant attestation standards in AT-C sections 105, Concepts Common to all Attest Engagements, and 205, Examination Engagements. Both standards cover concepts that the service auditor must abide by when performing a SOC 2 engagement. As a reminder, SOC 2 engagements are attest engagements where an opinion is being provided by the service auditor based on the results of the procedures performed in relation to the engagement objectives.
What Kind of Relationship Can the Service Auditor Have with the Provider of the SOC 2 Compliance Software Tool?
In all cases, the service audit must be independent of the provider of the SOC 2 software tool. This is because the tool is gathering evidence used as part of the audit or providing a service that serves as one of the control areas being tested as part of the SOC 2 audit. Examples are reporting on configurations and alerts in Amazon Web Services (AWS) and creating notifications within the SOC 2 compliance software tool when a threshold is reached or exceeded. An additional example is using the SOC 2 compliance software tool for the completion of onboarding and offboarding activities for service organization personnel.
In addition, 0.300 Principles of Professional Conduct, Section 0.300.050 Objectivity and Independence states: “.01 Objectivity and independence principle. A member should maintain objectivity and be free of conflicts of interest in discharging professional responsibilities. A member in public practice should be independent in fact and appearance when providing auditing and other attestation services.” [LC2]
In conclusion, usage of a SOC 2 software tool by a service organization can supplement the compliance and reporting operations of a service organization. This can lead to increased efficiencies in various operations, greater overall compliance with company-identified processes and procedures, and consolidation of defined operations into one centrally managed tool. These benefits allow for a smoother and more efficient audit process. It must be remembered, though, that such a tool does not cover all of the areas in a SOC 2 audit and all of the relevant professional standards and responsibilities that the service auditor must be in compliance with.
Please reach out if you would like to learn more about SOC 2 compliance requirements. Additionally, if you would like to learn more about any of our other audit services please don’t hesitate to contact us.
[LC1] I took this from the AICPA Code of Professional Conduct
[LC2] This, too, is taken directly from the AICPA Code of Professional Conduct
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1 and SOC 2 audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.