Fueled by the business world's continuing evolution toward outsourcing, a service that remains relatively new is providing increasing opportunities for CPA firms that possess deep technology expertise.
An overwhelming majority (84%) of companies polled in Deloitte's 2018 Global Outsourcing Survey said they have either initiated discussions, conducted pilots, or implemented at least some outsourcing solutions. Meanwhile, businesses' move toward cloud services places their data in the hands of third parties. But, while outsourcing can provide new efficiencies and cost savings, companies encounter new risks when they turn over operations and data to partners outside their organization.
These risks can be minimized if outsourcing providers have appropriate controls and systems in place to prevent theft, fraud, cyberattacks, and other challenges. System and Organization Controls (SOC) examinations performed by CPAs can give companies assurance that outsource providers possess appropriate controls. And in an environment with increased outsourcing and rapidly changing risks, the growing need for these reports presents a business opportunity that CPA firms may wish to consider.
As with any new service offering, a firm should evaluate whether its clients could benefit from the new services. If so, the firm should consider whether it possesses the deep technology skills and expertise to perform SOC examinations.
For a firm that is already providing information security services to its clients, performing SOC services may be a natural extension of the firm's skills and competencies. Firms that do not possess the requisite skills and expertise in-house have choices. They can:
- Join a network of firms that provide SOC services and refer clients to a trusted firm within the network that performs SOC services; or
- Hire people with the technology expertise to perform these services.
If a firm is considering expanding to offer a new service line in SOC services, that decision should be made only after careful analysis of its clients' needs and deliberation over the risks and opportunities that the new service line would create. For many firms, providing SOC services is one more way a firm can enhance its clients' views of CPAs as trusted business advisers.
The growth of SOC engagements reflects trends that have been changing business practices at accounting firm clients for years. Technology innovations like big data and the growing reliance on cloud computing providers have spurred accounting firm clients to be more alert to data security risks that can be evaluated in a SOC report.
"Technology is driving a whole new set of services for our profession," said Jim Bourke, CPA/CITP/CFF, CGMA, partner and managing director for advisory services at Withum Smith+Brown PC, in New York City. "SOC [examinations are] an example of one of those services totally fueled by technology, and it's not going away."
SOC 1 engagements result in reports on service organizations' internal controls for financial reporting, while SOC 2 engagements result in reports on service organizations' controls relevant to information security, availability, processing integrity, confidentiality, and data privacy. SOC for Cybersecurity is an engagement for organizations looking to report on a description of their cybersecurity risk management program and the effectiveness of the controls within the program. A new SOC engagement that focuses on controls of manufacturers, producers, or distributors (rather than service organizations) for the benefit of their customers and business partners also is under development.
Bourke has become an advocate of sorts for accounting firms that are developing a specialty in SOC engagements. In Bourke's view, the variety of SOC reporting types reflects the overwhelming reliance many businesses have on external suppliers, particularly in the realm of information technology. SOC engagements are a way for accounting firms to demonstrate to clients that their expertise and services remain vital to clients' ability to run their businesses.
Here are some things CPAs need to know about SOC engagements as interest in this area rises:
Technology expertise is essential
A SOC engagement "requires a thorough understanding of the technology environments at which most of these companies operate," said Steven Ursillo Jr., CPA/CITP, CGMA, a partner with Cherry Bekaert LLP in West Warwick, R.I., and the firm's national leader for information assurance and cybersecurity. The CPA is expected to understand the client's technology, operations, risk profile, and whether they're running their technology on-site or in the cloud.
"It also includes a significant knowledge and understanding of what the cybersecurity threats are, what the typical cybersecurity governance program would look like in order to safeguard [data], and what companies would expect for the proper design of controls to mitigate the risks and threats to an organization," he said.
Ursillo added that the SOC guidance adheres to the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Controls — Integrated Framework.
"It's just very specific to the different types of risks that are based on the current threat landscape and the evolving threat landscape of technology," he said.
SOC engagements can help clients manage cybersecurity risks
Bourke said every stakeholder in a business — including partners, shareholders, customers, and suppliers — is vested in the business's cybersecurity.
"They want to be comfortable that the company is on its game with respect to cybersecurity readiness," Bourke said. "I want confirmation of the fact that they are having a SOC engagement done."
The desire for comfort about cybersecurity and data protection is compounded by the growing reliance on third-party technology providers.
"As a custodian of this data, you have an expectation of safeguarding it," Ursillo said. "The amount of breaches and the level of damage [that may result] are making legislators and regulators hold people and organizations accountable, which indirectly is putting more pressure on those managing these risks."
The more organizations rely on emerging technology, the more important it will be for CPAs to provide confidence to interested parties that the organization's controls over data protection and security are effective.
"Organizations definitely need to mitigate the risks around the theft of data and the bypassing of internal controls for financial reporting," Ursillo said.
Identify the industries in your market that are likely to want or need SOC reviews
Gina Pruitt, CPA/CITP, CGMA, member-in-charge, Risk Assurance & Advisory Services for KraftCPAs PLLC in Nashville, Tenn., said her firm's home market has a large health care industry and a growing set of third-party suppliers to service the health care market, including claims processors, data management companies, and providers of software as a service (SaaS). Data protection is a major concern for the suppliers and the health care providers.
"There's a very high reputation risk in using third parties," Pruitt said. "The only way those health care entities are going to work with them is if they have a SOC report."
Don't let the peer review requirement become a barrier to entry
Practitioners with established SOC engagement practices say they have spoken to counterparts at other firms who are reluctant to enter the SOC market due to concerns about the cost and oversight of meeting the peer review requirements for SOC engagements. In the view of the SOC practitioners, the concerns are overhyped.
Most of the questions for peer reviews focus on the procedures that any CPA firm needs to effectively perform a SOC engagement, Pruitt said. She works with her firm's other lead partner for the financial services practice on the internal technical reviews of the firm's work to ensure compliance with the standards. Pruitt and that partner perform the technical reviews of each other's work.
The demand for SOC reports is already considerable and is likely to grow
The growing popularity of cloud services has led to new technology practices with different risks for businesses than what they faced in the past. CPA firm clients need to secure their systems and data as their technology infrastructure changes, and SOC reports are a means for achieving that.
For more information on SOC services, visit aicpa.org/soc. Information also is available on the three types of SOC for Service Organizations and the standards related to each; the SOC for Service Organizations page; and the SOC for Cybersecurity page.
Engagement teams need specific competencies
The AICPA guide SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy identifies the competencies and capabilities of engagement teams performing SOC engagements as follows:
- An understanding of systems used to provide services, including operating and security of such systems.
- Knowledge of the service organization's industry and business, including whether the service organization's industry is subject to specific types of or unusual security risks.
- An understanding of business processes and controls.
- Knowledge of relevant IT systems and technology, such as CPUs, networking, firewalls or firewall techniques, security protocols, operating systems, and databases.
- Knowledge of any uncommon technologies or industry-specific technology used by the service organization.
- An understanding of IT processes and controls, such as the management of operating systems, networking, and virtualization software and related security techniques; security principles and concepts; software development; and incident management and information risk management.
- Experience with evaluating the suitability of design and operating effectiveness of controls.
- An understanding of professional standards and the ability to apply professional skepticism and judgment in the examination.
- An understanding of legal and regulatory requirements relevant to the examination.
— Joseph Radigan is a freelance writer based in New York. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA's editorial director, at Kenneth.Tysiac@aicpa-cima.com.