Compliance

The Danger of Commoditized SOC Audits

Ben miller

Ben Miller

Director, Assessment Services, Coalfire

July 19, 2024

In the evolving world of compliance and third-party risk management, SOC 2 is one of the many frameworks that is at the forefront of Governance, Risk, and Compliance (GRC) conversations. While many frameworks have specified industry or region relevance, SOC 2 is widely viewed as table stakes for doing business with other organizations. Why is that? 

SOC (System and Organizational Controls) has been around since the early 1990s. Designed and managed by the American Institute of Certified Public Accountants (AICPA), SOC was originally designed as a compliance framework to provide assurance that third parties are meeting their control obligations as it relates to financial reporting in the form of SOC 1. It wasn’t until 2010 that the SOC 2 framework was established to provide customers with a more tech-friendly and security focused view into the third parties that they rely on. 

Since 2010, SOC 2 has evolved into the baseline framework for service organizations to build trust in the marketplace by demonstrating industry-best security practices for protecting client data. Most organizations’ vendor management processes require an attested SOC 2 Type 2 report at a minimum as a prerequisite for doing business. With this industry-wide adoption of SOC 2, organizations have been looking for the cheapest, quickest way to check the SOC 2 box. This has led to a commoditized market for SOC 2 audit services, including SaaS solutions advertising a "one-size-fits-all" approach and audit services generating reports for pennies on the dollar. 

In any assessment or audit service, organizations should expect expertise and experience from their assessors. These assessors should be well qualified to appropriately audit a myriad of cloud, on-prem, and hybrid environments, often holding one or multiple certifications, and be able to articulate requirements and control activity effectively. No environment is the same, and clients have unique architecture and procedures that need to be appropriately assessed by an expert. Not only should the assessor be technically savvy, but they should also have specific expertise in the SOC framework. 

Control design and operation can vary from client to client, and your assessor should be a subject matter expert in assessing a wide range of SOC controls. They should also be able to partner with you and articulate the "what", "how", and most importantly, the "why" for their requests. 

In addition to having expert assessors, the emergence of audit technology should be embraced by the industry to help drive efficiency and streamline assessments. Long gone are the days of pen-and-paper assessments. Auditors should be well versed in utilizing and leveraging audit tooling to make assessments as smooth as possible. Audit technology has advanced tremendously in the past 5 years, giving clients insights into evidence requests, control design, and additional guidance ahead of their upcoming audits. 

However, these tools should not be used as a "set-and-forget" silver bullet. They still require competent end users to engage regularly and expert auditors to digest and evaluate the artifacts. 

While an "out-of-the-box" or "plug-and-play" SOC 2 audit solution sounds quite appealing from a sales pitch, there are very important risks and considerations when thinking about procuring and implementing automated SOC 2 solutions in your environment. 

First and foremost, an audit tooling is only as effective as the auditor assessing your environment. Collecting evidence automatically can certainly help reduce man-hours during an assessment, however it is critical that the evidence collected is appropriate and relevant for the controls assessed by the auditor. Setup of this tooling, specifically setup of evidence gathered and mapping to the in-scope controls, should be done in coordination with your auditor's feedback. It can be incredibly frustrating to procure a new tool, only for a third-party auditor to start the assessment and indicate that the evidence gathered is insufficient. 

Check-the-box solutions should be heavily scrutinized due to the expertise required for the assessment, as audit expertise incorporated into the tooling (and conducting the assessment) is critical for an effective evaluation of an organization’s control environment. Some key factors in setup and use of automation tools are related to fundamental audit expectations including completeness, integrity, and timeliness.

For completeness, ensuring that the control evaluated is being validated across the entire portfolio of systems that are part of the scope of the SOC 2 reporting environment. 

Too many times, we see organizations connect tools to portions of an environment which does not meet the expectations of the audit requirements. Additionally, for integrity, ensure the retrieved data is from the source that can be used to evaluate the control effectiveness and ensure any automated validation is configured properly to assess the control as designed. Finally, regarding timeliness, it is critical that the automation is run within the appropriate time to meet the reporting period. 

While these factors seem pretty straight-forward, whatever solution is being used should allow the auditor to have visibility into the necessary elements of the cloud environment to validate the configuration of the automation and any downstream process to remediate or document anomalies for reliance by the auditor. 

Coalfire’s Compliance Essentials solution is built by the multitude of subject matter experts to help clients interpret and understand complex reporting requirements across many frameworks, including SOC 2. Procuring a shiny new tool might be an exciting prospect for clients, but it is critical to consider hands-on setup and ongoing management, paired with auditor expertise. 

It is also just as critical, when you want to leverage the same information across multiple frameworks, that the mapping is done at the appropriate level to ensure that the information can be used appropriately for other frameworks. Many generic mapping approaches focus on a control-based mapping that does not consider the artifact that is required to demonstrate the control, which leads to inadequate and inappropriate evidence considered for controls, leading to additional work. 

As you evaluate third party assessors to conduct your SOC audit, bear in mind the competency and expertise your assessor is bringing in addition to automation workflows brought by a compliance automation or GRC platform. Your auditor should be willing and able to partner with you for every step of your SOC journey by helping you understand audit complexities, articulate evidence requests, describe issues or exceptions, and bring all of this through the lens of your unique tech stack. 

Be wary of one-size-fits-all solutions, platforms or auditors, that provide check-the-box audit reports. At the end of the day, a company’s reliance on the controls in a SOC report are only as good as the team that performed the audit and signed off on the results. In today’s evolving world of cybersecurity, you should only seek the best to demonstrate your security posture and build trust with your customers. Confidence in your SOC 2 report and control environment is what you and your customers expect and, frankly, deserve.