Angela Appleby, a partner and lead auditor from Plante Moran who also sits on the AICPA Assurance Services Executive Committee, dives into the world of SOC reporting, and particularly the risks companies are facing there and the opportunities for accountants.
Transcription:
Dan Hood (00:03):
Welcome to On the Air With Accounting Today. I'm editor-in-chief Dan Hood. You know, SOC reporting may be the biggest growth area for accountants that you haven't heard of, even though it's been around since 2010 or so. And a fair number of firms are building strong practices in this area. So here to talk about SOC reporting in general and particularly why SOC 2 is important right now is Angela Appleby. She's a partner and lead auditor at Top 15 Firm Plante Moran. She's a member of the AICPA's Assurance Services executive committee and she's been teaching firms about SOC reporting through the institute for over a decade. Angela, thanks for joining us.
Angela Appleby (00:31):
Hi Dan. Yeah, thanks so much for having me.
Dan Hood (00:34):
Alright, right. First off, for those who are not familiar with the world of SOC reporting, can you give us sort of an introduction to it? What are SOC reports in general?
Angela Appleby (00:41):
Yeah, absolutely. So first off, SOC, S-O-C, stands for system and organization controls. The reports are a suite of services that CPAs can provide in connection with system level controls of a service organization or entity level controls of other organizations. These reports, they address topics ranging from internal controls or financial reporting to cybersecurity to other operational areas such as system availability and processing integrity, all the way to supply chain management. These reports, they originated from what used to be SAS 70 reports. Back in the day, SAS 70 reports were controls at a service org that impact a user entity's internal controls or financial reporting. But what happened is over time many companies were seeing the need for reports over other outsourced services that were unrelated to internal controls or financial reporting. So with that came the AICPA- created the SOC suite of services to address topics that are unrelated to internal controls over financial reporting, but more operational such as cybersecurity.
Dan Hood (01:41):
Gotcha. Alright. So that's just right as you said, it's a suite of services, SOC 1 reports a SOC 2 reports. There's even SOC 3 reports. Maybe for our purposes today, can you tell us sort of the differences between a SOC 1 report and a SOC 2 report?
Angela Appleby (01:53):
Yeah, absolutely. So a SOC 1 report is a report over internal controls at a service organization related to internal controls over financial reporting. Whereas a SOC 2 report can be over topics such as security, availability, processing integrity, confidentiality or privacy. So both reports, they provide assurance to customers and their auditors about the controls at their third party vendor at a sub-service organization or service organization. However, they do address different subject matter areas and they're actually intended for different purposes and they're issued under slightly different attestation standards.
Dan Hood (02:30):
So, alright. So we mentioned that there's a couple of different kinds of reports and they cover different areas. How does a firm or a company I should say know if it needs a SOC report and if it needs a SOC report, which kind does it need? SOC 1, SOC 2, or both or neither? How do they know if they need to contact a firm to get themselves a SOC report?
Angela Appleby (02:49):
That's a great question. So with the SOC reporting that came about, if you remember originally, like I said, they were related to controls at a service organization related to internal controls or finished reporting. But over time they want customers wanted more confidence over security availability over other operational areas around services that are being provided by their customer. So many organizations are still trying to determine what report they need and there are some things to consider. First is, are the services related to internal controls or financial reporting? Is it like a payroll company or are they more concerned about security for a data center or a managed security operation? So basically it depends on what the customers are asking for and what the customers need. For SOC 1 reports, those are very commonly requested for financial reporting purposes where the auditors of a public company or even a private company need to understand what is it that your service providers are doing for you as it relates to the inputs to your financial statements. The SOC 2, however is a better choice if companies are looking for comfort over governance areas such as cybersecurity and availability, is the system going to be up and running? And it really goes into whether or not their third party vendors are addressing their service commitments and system requirements that they're promising to their customers.
Dan Hood (04:21):
So in most cases, do you think is a company or an organization, someone's going to come to them for a cycle report and say, listen, we need proof of that you're handling data correctly or that your third party service providers are handling data correctly? Is that how that usually works or do they have to have it ready internally so that they can hand it out to people?
Angela Appleby (04:39):
That's another good question. Sometimes it's both directions. Sometimes the clients come in and say, Hey, our auditors are saying we need this report. Or Hey, we want to get comfortable about your security controls at your organization if you have our data. So it comes about that way. At the same time, some companies can't even get into contracts with customers if they don't have a SOC report. It's just an item on the list that says, do you have any sort of intro control report or certification or anything similar of that nature that to show that you actually have controls over what you're promising us. And if you don't, then may not, we may not be able to do business with you.
Dan Hood (05:19):
And it seems like in some cases you see companies saying, Hey we've got a so two report, we have this already. It's almost a bragging right kind of thing. They say, listen, you can trust us because we have this. I think it seems to be more in SOC 2 reporting, but it seems like there's some companies that started to say, Hey look, we're somebody looked at us and said we're okay kind of thing.
Angela Appleby (05:37):
Yeah, and actually that's a really good point too because there's a difference between the SOC 2 and the SOC 1s and that the SOC 1s reports are being used from financial reporting purposes and they're restricted to the auditors and to their clients and their clients' auditors. Whereas a SOC 2, you could actually provide it to prospective customers who understand the limitations of the report order to get comfortable with what those service providers are doing for them. So in a way they can use it, it's probably one of the best things that you could have out there that says we have our act together and this is what we do and we have controls around what we do and our promises that we're making to you.
Dan Hood (06:13):
Excellent. Alright, there's a lot here. I want to dive more specifically into SOC 2 things, but a couple of quick things to go through. Maybe just at the general level. Are there tools or technology reporting tools the company can or should be looking at to help with sort of SOC reporting on either for SOC 1, SOC 2, are there technologies that they should be thinking about?
Angela Appleby (06:35):
I'm a big fan of technology. I work in the technology space, I audit technology. There absolutely are tools out there that are available for companies that are just embarking on their SOC 2 journey. At the same time, there's a lot of risks involved with adopting a tool as it relates to is it implemented correctly, is it configured? People process and technology has to be aligned. And a lot of the times we don't want companies to just assume that, hey, if I implement this system, it's going to get me a good SOC report and I'll be able to have a very quick audit and everything is done for me. There is the people aspect of it and the user aspect of it in terms of what are management's risks and management needs to have their own controls and their own viewpoint and it needs to be tailored more to their organization.
Dan Hood (07:28):
Gotcha. So there's tools, but all tools, you got to match them up with a bunch of other things to make sure it's not going to take care of it for you, like you said.
Angela Appleby (07:36):
Exactly.
Dan Hood (07:37):
And one quick thing again before, like I said, we're going to dive into not too in some depth, but before we do that, are you finding that there are accounting firms? Cause a lot of our audience will be from public accounting firms that will be helping their clients with their SOC reporting or providing the reports themselves. Are you finding the firms are focusing on one type of report or other or they tend to do both? Oh, there's a whole SOC three we haven't talked about, but really, but let's focus on SOC 1 or 2. Are they tend to do both or do they focus on one?
Angela Appleby (08:04):
So yeah, many, many CPA firms offer the full suite of SOC examination services and right now it's typically the SOC 1 and the SOC 2 however. But there are some firms that might offer one or the other but not both. In these instances, the firm's decision may be focused on the skillsets that they currently have within the firm. For example, a firm may choose not to offer SOC 2 reports because it requires specific expertise related to IT auditing that they may not have in-house. Likewise, a firm may not have experience in a certain industry such as financial services or insurance and therefore may not choose to offer SOC 1s in that industry. They really named need to make sure that they have the right expertise in house. And I think that's where it varies from firm to firm.
Dan Hood (08:46):
And it's probably, I mean that's worth highlighting, right? That difference in the skillset, particularly around SOC 2, it is an IT technology related. You need to bring that to the table. It's not just a, Hey, I'm an auditor, surely I can do a SOC report. Right. It requires that specific expertise in technology.
Angela Appleby (09:01):
Yes, correct.
Dan Hood (09:02):
Alright, we're going to, like I said, we're going to dive in. I keep promising we're going to dive into SOC too cause I'm excited about it, but we're going to take a quick break before we do. We'll be right back. Alright, and we're back. And we're talking with Angela Appleby of Plant Moran about sock reporting and she's given us pretty much a whirlwind tour of the overall world of sock reporting. But we're going to dive into SOC 2 reporting now because even though sock reporting's been around for over a decade, SOC 2 report's been around for a while. There's a lot of interest recently in SOC 2 reporting. Maybe you could tell us what's driving that interest.
Angela Appleby (09:36):
Yeah, so SOC has been a huge success story for the AICPA of the profession. It was the first offering of its kind to offer an internal control report performed by an independent licensed CPA over services that are outsourced to customers. So trust and confidence over subject matters such as system reliability and privacy. It's becoming more of a focus area for organizations as they manage third party risk. If a company is relying on specific software or outsourcing certain services, that company needs to be aware of the risks and their customers need to be aware of them. Those risks that they face if proper controls aren't in place or operating effectively at their service provider. With that SOC reporting has over time has grown to a billion dollar industry, which I think is incredible that growth and success leads a variety of companies wanting to get in on the action.
(10:24)
All that said, over the last few years there's been many technology companies and non-CPA, a consulting firms that began offering these services ideas on how to streamline SOC examinations came to play and software vendor built programs to automate the examination as much as possible. Some software vendors have created great tools that help companies get ready for SOC engagements, which can yield efficiently efficiency and quality gains for service orgs and their customers alike as well as service auditors. At the same time with these efficiencies and quality gains risks can also be introduced to the market. For example, when automation crosses the line into issuing boilerplate SOC reports without the service auditor working with the service organization to understand the appropriate controls are in place and operating effectively, the system could break down companies that hire firms to perform their SOC examinations and users of SOC reports should raise concern if they recognize that on their engagement. There's also significant investment in marketing SOC reports currently so much that you see SOC reports mentioned on billboards throughout the country in the city subway systems and on social media platforms.
Dan Hood (11:28):
I was just saying this morning I saw an ad for sock reporting from another firm that we won't name, but on Amazon it was a fill in ad it just said, Hey, how's your sock reporting? I'm like, why is Amazon asking you about my so reporting? And anyway, sorry to interrupt, but you're absolutely right. It's really showing up in spots you would never expect.
Angela Appleby (11:44):
Yeah, no, absolutely. I see it on social media all the time as well. They have, the advertising that's currently going on is they have catchy slogans on billboards. It draws people's attention to it that may are not even accountants and makes 'em wonder, well what is is this thing that is getting all this advertisement out there? So thanks to these vendors, the market now knows more than they ever have around SOC reporting and it's been taking off.
Dan Hood (12:07):
Excellent. And we talked so broadly about it, but what are some of the risks that SOC reports, SOC 2 reports are meant to address? And then as we talk about those risks, maybe we talk about are these kind of risks that are growing in concern, is that why there's, like I said, you said there's social media ads about it, it's crazy how many accounting firm products or account assurance and the test products get that kind of play. So what are the risks that are going on? Why are they getting that attention?
Angela Appleby (12:37):
No, absolutely. So these reports, they're intended to address the risk of companies not meeting their service commitments or system requirements that they make to their customers. So I would want to know, hey, if I'm outsourcing the service, how do I know that you know what you're doing and you're doing a good job doing what you're doing? So a company that receives a SOC 2 report from their vendor should evaluate whether the service that the service organization is being engaged for is included with the scope of the report. So that's very important is that the scope actually covers what they're promising to their customers. An example is if a service organization has a service commitment on their website and it says that we're going to have 99.99% uptime, there would be an ex expectation that report includes controls to address the risk of system downtime such as monitoring and access controls.
Dan Hood (13:20):
Does this get into things like data privacy? Has that ever come up in these? Is that, I mean, cause obviously that's a huge risk, people talking about uptime is another one that people are concerned about.
Angela Appleby (13:29):
Yeah, absolutely. The SOC 2 reports can, there's five principles that you can be reported on. One's security, one's availability, one's confidentiality, one's processing integrity, and then privacy is absolutely in there. And there has been a lot of questions and concern around data privacy in the industry and in the market just in general with all the new developments with AI and everything else that's out there
Dan Hood (13:51):
Right now. So you mentioned those five pillars. Are those automatically included in every shop two report or is it depending on what claims you said they're, if you say you're going to have 99% uptime, we make sure that you do that kind of thing. Or is it based the report? Is it based on which things they're promising or is it based on all those five no matter what?
Angela Appleby (14:10):
It starts with the common criteria and the common criteria address all five of them. But most reports start with security. Security is usually the core of everything. And then many companies have availability included and confidentiality. We're starting to see an increase in reports around processing integrity as well as privacy. So to answer your question, the company can actually choose to report on one or all five, but it is up to the auditor to make sure that if they do have a commitment around availability and they're not reporting on availability, is that correct? And is there a reason why they're admitting that principle?
Dan Hood (14:50):
And I mean this is classic auditing stuff, this sort of testing what you're doing, what you say you're doing, and when you say you're doing it, are you really, so let's go a little bit more into from the auditor's perspective of creating the SOC 2 report. What does that look like from the accounting firm's perspective? Someone comes and says, I need a SOC 2 report. They spring it to action and they do. What does that look like from when they're creating a SOC 2 report? What does it look like from the accountant's perspective or the auditor's perspective I should say?
Angela Appleby (15:20):
Yeah, so a SOC report is basically an examination. We have to do a full, full-blown audit around a company's trial controls. It's not as easy as I'll come in and spend two weeks there and then all of a sudden I'll issue a SOC report by the click of a button. It requires a team of professionals that have the right competencies to evaluate the description of the services offered, evaluating where the control owners have the right competencies and understanding what they're doing and then performing testing over the controls. So it also requires quite a bit of preparation by management of the service organization, the company we're auditing. So management makes an assertion about their internal control environment similar to the assertions that are required for an I C F R report. Internal controls or financial reporting audit for say a public company, as part of management's responsibility, they're required to have a reasonable basis for their assertion.
(16:11)
This means they have to meet the requirements of criteria to meet their service commitments and system requirements. For example, they're required to perform a risk assessment each and each organization has their own service commitments and system requirements that they're promising their customers. So they need to be tailored and specific to that organization. So the SOC criteria, there's criteria within those five principles, and it's not a framework like PCI, which is the payment card industry where all requirements must be met. Instead, it's an examination where the auditor evaluates the controls against a set of suitable criteria. For example, in the case of SOC 2, the trust services criteria and a licensed CPA signs the report. So licensed CPAs were bound by a number of quality control mechanisms such as professional standards, codes of ethics and system of quality management and oversight. So there does take time and it is something, like I said, it's more than just a click of a button. You give us these documents and all of a sudden you have a report.
Dan Hood (17:14):
Well, and as you say, it also requires some understanding of some technological expertise, or at least somewhere in the firm, they've got to have the expertise to say, to judge, in all these areas, the average firm may have no idea what the security requirements might be or should be. So you're going to need to develop that internally before you can start issuing these.
Angela Appleby (17:32):
Exactly. And for that reason, that might be why some companies just starting out end up starting with the SOC 1s versus the SOC 2s. SOC 1 is more financially related,
Dan Hood (17:41):
Little close to their usual wheelhouse.
Angela Appleby (17:43):
Exactly.
Dan Hood (17:44):
Excellent. So as we said, this is a huge opportunity for accounting firms, billion dollar industries you mentioned. I realized it was so big, but it is, and it's growing. The demand for it's only going to increase a, as accounting firms are looking at wavy, whether they should be offering these kinds of SOC 1 or SOC 2 reporting services, are things they should be bearing in mind or are there things that companies should be bearing in mind as they look to get whether they need a SOC 2 report and who should be providing any thoughts for them?
Angela Appleby (18:10):
Yeah, absolutely. So from a firm perspective, they need to make sure that they have the right skillset and expertise in-house to offer these services. And they have to remember that they have to follow the professional standards that we have in place for us, for our industry. If one of their clients uses tools, they need to be aware that the tools don't eliminate auditor judgment or the standards that have to be followed. For example, the auditors need to evaluate what's called IPE — information provided by the entity — regardless of where the information come comes from, similar to a financial system and a financial statement audit, they can't really audit around the system. So if tools are involved, they need to consider what risks those tools pose to the audit itself and to make sure that they're evaluating those tools as well as it relates to a company that's thinking about getting a SOC report, they're similar to any audit.
(18:58)
There's CPA firms of all shapes and sizes. They might want a bigger firm, they might want a smaller firm, they might have a relationship with an existing firm that does their tax work for them. So it really depends on what they're looking for in terms of choosing an auditor. Something that's important too is why are they getting the report? Are they getting the report to show their management team and clients and prospective clients that they're doing their due diligence and have a solid control environment in place? Or are they just getting the report to check a box to allow them to compete in the marketplace? If they're just checking a box, they're accepting the risk that their reports don't provide the level of assurance that their customers are expecting or actually assessing and addressing potential control deficiencies that could put their company and their customers at risk, which in turn could be a negative factor. So I wouldn't recommend the check the box mindset, but if management is okay with that, then that's that, that's their decision and that may suit them. So I can analogize the situation as it relates to picking the service auditor using an airline example. So people prefer to fly specific airlines based on their personal needs, considering loyalty, comfort of service on-time, performance rate, commitment to maintenance and maintenance, track record, et cetera. So like an airline passenger, each company needs to evaluate what is important to them and make their decision accordingly.
Dan Hood (20:16):
And it's probably, actually, it's sort of interesting because I know you were recently, we were all recently at the Engage Conference in Las Vegas and one of the things they were talking about there is the importance of, from both sides of an auditor having a fair amount of experience in whatever it's doing. You don't want to go with an auditor for instance, that's doing one SOC 2 report a year kind of thing. Some level of expertise and frequency. So it's like you wouldn't want to go with an airline that only flies once a year. You would want to go with, look for a SOC 2 pro report provider that has does more than one. And if you're going to, as a firm, offer it, right, it makes sense to do it only if you're going to be able to achieve a certain mass where you're going to be able to get the expertise needed to do it. Cause it's, as we noted, even just different from SOC 1 reporting, it requires a whole different set of expertise.
Angela Appleby (21:02):
Absolutely. So do more than one and to actually understand the industry and in the background as to what they're evaluating.
Dan Hood (21:09):
Alright, as you said, we could talk a lot more about it because it is a huge topic, but thank you for helping us get our hands around it today, at least Angela Appleby of Plante Moran, thanks for joining us.
Angela Appleby (21:18):
Thank you.
Dan Hood (21:19):
And thank you all for listening. This episode of On the Air was produced by Accounting Today with audio production by Kevin Parise. Rate or review us on your favorite podcast platform and see the rest of our content on accountingtoday.com. Thanks again to our guest, and thank you for listening.