Addresses the increasing utilization of automation to make the execution of SOC 2 audits cheaper and more efficient.
by Jeff Cook, CPA, CITP, CISA May 26, 2021, 09:43 AM
The traditional way of doing information technology (IT) and SOC 2 audits is going away, and it’s happening really fast. Automation is here, and it’s having an impact. But that doesn’t mean CPA firms cannot adapt and enhance their practices, deliverables, and value. Embracing automation, and the tools that facilitate it, are the key.
SOC 2 reports have been on the rise the last few years. However, over the past 12 to 18 months, the rise has been exponential as companies shift to more remote work and embrace the cloud. That, along with an increase in security breaches, supply chain and vendor issues, and other cybersecurity incidents, have led to a greater demand for SOC 2 and other cyber reporting.
The demand is moving beyond large companies too. Small and medium-size enterprises, startups, and others are not ignoring strong cybersecurity postures, security questionnaires, or IT audit requirements (like SOC 2) in their contracts.
While CPA firms have been building and developing their IT audit practices, a variety of SOC 2 (and other governance, risk, and compliance) tools have appeared on the scene. These tools sell directly to clients and service organizations promoting efficiency in audits. Often, they will list CPA firms that they work with to help sell packages to potential customers. From this, clients have begun to expect lower costs and higher efficiencies from their tools and their CPA firms.
The result has been clients paying annual subscription licenses for the tool and then demanding lower pricing for their SOC 2 audits. Some CPA firms have become early adopters of automation, charging fees for SOC 2 engagements that did not previously seem possible. The shift at this point is inevitable: the market is what the market is. CPAs will have to adapt or get muscled out by those willing to adapt and charge less.
Many of the SOC 2 and IT audit tools have similar functions, but each has different features that makes it unique. The most significant commonality, though, is the ability to integrate into the various cloud applications that clients use to support their service.
A common example is integrating with the cloud service provider (CSP) that hosts the client’s application. The automated tool pulls information from the CSP about who has access to the CSP environment, what databases they use, and other information. The tool then reports on whether or not the client is meeting its controls for privileged access, environment changes, and more. The tool will also gather evidence to support the control reporting for CPAs to use as evidence to support their audit.
Some will also include policy generators, system description generators, security-specific controls, and other features that help the client solidify its environment, resulting in a better cybersecurity posture.
There are a few tools that fall short because they leave the client with an impression that they will have accomplished an audit by using the tool. Of course, CPAs understand collecting evidence is only part of the process. CPAs have a lot more work to do, and often it includes asking the client for more information, sample testing, and gathering other documentation to support a complete file.
If you have a client using these tools (or thinking about using them), you need to gauge whether the evidence package will support your audit as is or if you need more information. The client and the tool provider should be aware of your findings so all expectations are in line with how the engagement will pan out.
Naturally, the automation tools affect engagement fees. Is the tool going to reduce your level of effort (and in turn save the client money) or are you just getting a folder of evidence that you would have gotten from providing a request-for-information list? If the latter happens, the client will be upset because they spent money on a tool that did not provide effort savings for the CPA, and now they paid for a tool and are still paying the same price for the audit.
Some tools, however, can do much more. Integration and control reporting can show the CPA real data from the source about how a control is operating and if it was effective during an audit period or not. The key is that CPAs will have to think differently from the traditional methods of doing IT audits.
Consider change management as an example. Traditionally, the CPA would request a population of changes during the entire audit period. A sample section would be made, and then the client would provide evidence for each of the items sampled. Those samples may lead to questions, which result in more back and forth, taking an estimated six to eight hours to complete the test. Using a tool that integrates properly, the client can enable branch protections for change management, which ultimately means that the change process must be followed; otherwise, the change will not go through to production. The CPA can look to see if the control configuration is correct and if the branch protections were enabled throughout the period. The same test now takes 30 to 60 minutes to complete.
This illustrates how understanding the technology and how it can support an audit can significantly reduce audit time. Moreover, it will allow CPAs to reduce the cost and pricing of the engagement, thus enabling them to compete in the market against those already adopting automation.
Here is what CPAs – as well as their clients – should look for in an automation tool:
The industry recognizes that these tools are being used more and more. They are changing the way SOC 2 and IT audits are being performed, but they have to be looked at for what they provide and how they can help both the client and the auditor. In the end, companies cannot complete a SOC 2 without an auditor, so make sure your clients use something that makes your audit stronger, more efficient, and smoother for all parties.
Jeff Cook, CPA, CITP, CISA, is cofounder and chief financial officer of ByteChek LLC in Miami. He can be reached at firstname.lastname@example.org.