Accounting
SOC 2 reports reimagined: From burden to business enabler
Perception is a powerful force. Few challenges are greater than overcoming perceptions, especially those supported by historical realities, facts and cultural norms. However, in an era when the accounting profession is defined by change and technological evolution, our most significant opportunities lie in challenging those perceived beliefs. That is precisely what we should be doing with SOC reporting today.
System and Organization Control 2 reports have historically been viewed as slow and complicated engagements defined by frustration. The projects require extensive and detailed evidence collection and demand a high level of subjective judgment and customization, which are very different challenges from the financial statement audits many SOC professionals were raised performing. Approaching these engagements with spreadsheets and flash drives has also made the process very cumbersome and frustrating, solidifying the perception of SOC 2 reports as daunting and difficult.
Fortunately, an increasing number of organizations have continued to dredge through the process — the report’s value is immense, and it is often a requirement to conduct business. This provides a broad level of tolerance for flawed systems and acceptance that friction is core to completing a SOC 2 report or even viewed as a feature of a high-quality audit.
This perception — confusing, slow and frustrating with high quality — hinders innovation. It doesn’t result in simple acceptance of the status quo or fear of change but manifests as outright hostility towards ingenuity. If these audits are “supposed to be hard,” then any suggestion to make them easier is rejected.
And yet, in recent years, that has all begun to shift: There is real excitement and investment in SOC 2 services from innovators outside of public accounting. They are challenging every aspect of how these audits are conducted with broad positive and negative impacts that demand the evolution of the perspectives of auditors, clients and the industry as a whole. It’s time to change our outlook and embrace the advancements in performing SOC 2 audits to fully realize the incredible amount of value and competitive advantage the service can provide.
Legacy tools and processes
Financial statement audit processes, the foundation of most assurance practices, were created using a shared language between auditor and client. Most clients in that world have backgrounds as auditors and are supported by well-established financial terminology and systems. When an auditor asks for an “invoice” or “purchase order,” the CFO knows exactly what is being requested.
Such a luxury does not exist when working with the information security community, which has a diverse vocabulary with varying definitions, pronunciations, and an unlimited number of acronyms. Accountants have spent hundreds of years establishing translation guides and systems. If anything, the level of standardization in technology is astounding, but this is a new industry experiencing dramatic change. So, it makes sense that approaching SOC 2 services with the same tools and rhythms as a financial statement audit has not proven successful.
From a growing need, new tools emerge
In an effort to bridge that gap and provide automated control monitoring, governance, risk and compliance platforms have been created to help clients manage policies, access risk, control user access, and streamline compliance. Through the use of policy templates and checklists adopted by each client, these GRC platforms have created standardization, where there previously was none, and concentrated resources that make this service attainable for small companies.
In the same way that Apple brought the home computer into our living rooms, these tools are making SOC 2 reports mainstream.
GRC platforms are also capable of producing automated evidence, which attracts most of the attention and provides significant benefits. Yet the greater impact is the friction they’ve removed. This simpler and scaled approach to SOC 2 reports reduces the noise created by the back and forth between auditor and client while removing the poor organization so begrudgingly accepted, allowing the auditor to focus on providing value. That value can come from conducting a simple and straightforward, low-touch engagement or an in-depth and intense control inspection that identifies true vulnerabilities and significant risks to the business.
Regardless of the approach, the technology supporting these engagements continues to improve. Last year, the RegTech industry was valued at
The challenges attached to compliance shifts
This growth and evolution of SOC 2 compliance is not without consequences. As speed has increased and prices have dropped, there has been a growing resentment towards these new approaches, not all of which are unfounded. Concerns about overreliance on automated evidence, auditor relationships with GRC platforms, and subject matter expertise within an engagement team are very real challenges the profession must continue to address.
However, by ignoring and shunning the existence of these new tools in an effort to retain the engagement’s status as “hard,” auditors avoid any opportunity to create value that exists beyond the paperwork.
Identifying that value and educating the world on the need to blend these tools with the expertise and professionalism that has always accompanied these services is a critically important message right now. Without that shared understanding and positive messaging, we continue to struggle through the communication challenges we started with and drown in the noise.
Overcoming obstacles with the right message
SOC 2 audits are going to keep getting easier, faster, and cheaper. Emerging technology and growing demand have made SOC reporting a very competitive and fast-paced industry that will feel some bumps along the way, but the need this service fills will shape the profession.
And if the perception isn’t slow, frustrating, and resource-intensive — what should it be?
SOC 2 reports are really a storytelling mechanism. They allow companies to communicate the security practices they value and demonstrate they are deserving of trust. These details can then be exchanged with outside parties to support decision-making in ways that were not previously possible. Companies are now sharing the completion of these reports through trust pages on their websites and online marketplaces as a sales differentiator, which allows CPAs to impact businesses in new and exciting ways.
The value they provide internally can also not be ignored. Accountability and organizational alignment allow mature and growing businesses to thrive. These aspects of SOC 2 compliance have always been valued, but the new supporting tools have suddenly made the experience practical, which should be celebrated.
When viewed as a mechanism for sharing information and allowing the client to be the author, you not only offer validation but a new mechanism for them to understand their own needs. It serves to track, evaluate, and understand critical aspects of their business in the same way the accounting ledger helps them understand their financial position. Instead of being a challenge or roadblock to overcome, you position clients to thoughtfully understand, own and communicate the aspects of their security program, which can be embedded into the organization’s way of life.
The International Auditing and Assurance Standards Board is proposing to tailor some of its standards to align with recent additions to the International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants when it comes to using the work of an external expert.
The
- ISA 620, Using the Work of an Auditor’s Expert;
- ISRE 2400 (Revised), Engagements to Review Historical Financial Statements;
- ISAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information;
- ISRS 4400 (Revised), Agreed-upon Procedures Engagements.
The IAASB is asking for comments via a digital response template that can be found on the
In December 2023, the IESBA approved an exposure draft for proposed revisions to the IESBA’s Code of Ethics related to using the work of an external expert. The proposals included three new sections to the Code of Ethics, including provisions for professional accountants in public practice; professional accountants in business and sustainability assurance practitioners. The IESBA approved the provisions on using the work of an external expert at its December 2024 meeting, establishing an ethical framework to guide accountants and sustainability assurance practitioners in evaluating whether an external expert has the necessary competence, capabilities and objectivity to use their work, as well as provisions on applying the Ethics Code’s conceptual framework when using the work of an outside expert.
President Donald Trump’s tariffs would effectively cause a tax increase for low-income families that is more than three times higher than what wealthier Americans would pay, according to an
The report from the progressive think tank outlined the outcomes for Americans of all backgrounds if the tariffs currently in effect remain in place next year. Those making $28,600 or less would have to spend 6.2% more of their income due to higher prices, while the richest Americans with income of at least $914,900 are expected to spend 1.7% more. Middle-income families making between $55,100 and $94,100 would pay 5% more of their earnings.
Trump has
Economists have warned that costs from tariff increases would ultimately be passed on to U.S. consumers. And while prices will rise for everyone, lower-income families are expected to lose a larger portion of their budgets because they tend to spend more of their earnings on goods, including food and other necessities, compared to wealthier individuals.
Food prices could rise by 2.6% in the short run due to tariffs, according to an
The Yale Budget Lab projected that the tariffs would result in a loss of $4,700 a year on average for American households.
Artificial intelligence is just getting started in the accounting world, but it is already helping firms like technology specialist
Schellman CEO Avani Desai said there have definitely been some shifts in headcount at the Top 100 Firm, though she stressed it was nothing dramatic, as it mostly reflects natural attrition combined with being more selective with hiring. She said the firm has already made an internal decision to not reduce headcount in force, as that just indicates they didn’t hire properly the first time.
“It hasn’t been about reducing roles but evolving how we do work, so there wasn’t one specific date where we ‘started’ the reduction. It’s been more case by case. We’ve held back on refilling certain roles when we saw opportunities to streamline, especially with the use of new technologies like AI,” she said.
One area where the firm has found such opportunities has been in the testing of certain cybersecurity controls, particularly within the SOC framework. The firm examined all the controls it tests on the service side and asked which ones require human judgment or deep expertise. The answer was a lot of them. But for the ones that don’t, AI algorithms have been able to significantly lighten the load.
“[If] we don’t refill a role, it’s because the need actually has changed, or the process has improved so significantly [that] the workload is lighter or shared across the smarter system. So that’s what’s happening,” said Desai.
Outside of client services like SOC control testing and reporting, the firm has found efficiencies in administrative functions as well as certain internal operational processes. On the latter point, Desai noted that Schellman’s engineers, including the chief information officer, have been using AI to help develop code, which means they’re not relying as much on outside expertise on the internal service delivery side of things. There are still people in the development process, but their roles are changing: They’re writing less code, and doing more reviewing of code before it gets pushed into production, saving time and creating efficiencies.
“The best way for me to say this is, to us, this has been intentional. We paused hiring in a few areas where we saw overlaps, where technology was really working,” said Desai.
However, even in an age awash with AI, Schellman acknowledges there are certain jobs that need a human, at least for now. For example, the firm does assessments for the FedRAMP program, which is needed for cloud service providers to contract with certain government agencies. These assessments, even in the most stable of times, can be long and complex engagements, to say nothing of the less predictable nature of the current government. As such, it does not make as much sense to reduce human staff in this area.
“The way it is right now for us to do FedRAMP engagements, it’s a very manual process. There’s a lot of back and forth between us and a third party, the government, and we don’t see a lot of overall application or technology help… We’re in the federal space and you can imagine, [with] what’s going on right now, there’s a big changing market condition for clients and their pricing pressure,” said Desai.
As Schellman reduces staff levels in some places, it is increasing them in others. Desai said the firm is actively hiring in certain areas. In particular, it’s adding staff in technical cybersecurity (e.g., penetration testers), the aforementioned FedRAMP engagements, AI assessment (in line with recently becoming an ISO 42001 certification body) and in some client-facing roles like marketing and sales.
“So, to me, this isn’t about doing more with less … It’s about doing more of the right things with the right people,” said Desai.
While these moves have resulted in savings, she said that was never really the point, so whatever the firm has saved from staffing efficiencies it has reinvested in its tech stack to build its service line further. When asked for an example, she said the firm would like to focus more on penetration testing by building a SaaS tool for it. While Schellman has a proof of concept developed, she noted it would take a lot of money and time to deploy a full solution — both of which the firm now has more of because of its efficiency moves.
“What is the ‘why’ behind these decisions? The ‘why’ for us isn’t what I think you traditionally see, which is ‘We need to get profitability high. We need to have less people do more things.’ That’s not what it is like,” said Desai. “I want to be able to focus on quality. And the only way I think I can focus on quality is if my people are not focusing on things that don’t matter … I feel like I’m in a much better place because the smart people that I’ve hired are working on the riskiest and most complicated things.”
German fiscal boost won’t outweigh tariff drag for euro zone: IMF
Chinese factories stop production, eye new markets as U.S. tariffs hit
Water sommeliers say the simplest drink is the future of luxury
New 2023 K-1 instructions stir the CAMT pot for partnerships and corporations
The Essential Practice of Bank and Credit Card Statement Reconciliation
Are American progressives making themselves sad?
-
Economics1 week ago‘He should bring them down’
-
Economics1 week agoTrump’s approval rating on economy at lowest of presidential career
-
Blog Post1 week agoDocumenting Bookkeeping Processes and Procedures
-
Economics1 week agoDonald Trump wants a certain kind of immigrant: the uber-rich
-
Economics1 week agoChecks and Balance newsletter: The Democrats’ future is up for grabs
-
Economics1 week agoTrump tariffs could cause summer economic slump: Chicago Fed president
-
Personal Finance6 days agoConsumers are making different financial choices in response to tariffs
-
Personal Finance1 week agoExperts see higher stagflation risks. Here’s what it means for your money