Have you ever wondered why SOC 2 is administered by a group of accountants? Many people I talk to have no idea. When I explain that SOC2 is handled by the AICPA—the Association of International Certified Professional Accountants—they can’t help wondering why “bean counters” are even involved with cyber security.
But it makes more sense than you might think. CPAs excel at auditing—and the SOC 2 certification process is essentially an extended audit of your cyber security operations. Once the audit is complete, the CPA issues its “attestation report”—an official statement from your certified auditor that your systems and controls offer adequate cyber security protection.
That statement does not indicate a licensure or regulation, so “SOC2 compliance” is a misnomer. In fact, SOC2 attestation is a statement—verified by a CPA—that your cyber security meets the Trust Services Criteria and other guidelines that spell out requirements for implementing and maintaining security controls.
For that reason, failing to pass your audit does not stop you from doing business. Your next step would be mitigating your risk and undergoing the process again. Most companies choose to find and fix vulnerabilities before starting over. Their data is protected, and they can prove it to customers and investors—which is what they care about.
Put another way, it’s the documentation that matters rather than the credential.
The same thing holds true for ISO 27001, which is not a requirement for doing business, but like SOC2, assures clients and investors that a company’s cyber security plan meets industry standards for protecting data.
Weighing the Costs of SOC2 Attestation
Unlike companies facing financial audits—which typically have internal auditors to help—organizations facing SOC 2 audits often walk into the process without comprehending the time and money the process can take.
Some companies expect they can rely on their in-house IT teams to work the SOC2 process into their regular responsibilities. And some IT employees enter the process believing that’s possible. But this is not a spare-time project; it takes focus and expertise. So time is the most significant soft cost.
The hard costs are easier to define:
- a governance, risk management, and compliance platform (a SaaS platform to track your policies and evidence)
- an auditor’s services
- additional systems needed to comply with certain TSC controls (It is best practice to understand what additional systems you may need in advance of undertaking a SOC2 certification.)
There is a hard-cost solution to the soft-cost concern of losing time or lacking expertise: A contractor adept at conducting the assessments and offering vCISO services to help you mitigate vulnerabilities before a CPA starts evaluating your systems and protocols.