I wish…. While the SOC 2 isn’t exactly going away, the AICPA is in the process of giving it a major revamp. Maybe we can call it SOC Version 2.1?
And, it’s about time!
Back in June, I grappled with the flaws of the current Service Organization Control (SOC) reporting system:
Don’t get me wrong. SOC 2 and 3 reports have their place. AICPA president Barry Melancon said at a conference in December that “we need a system where we can contractually require our technology suppliers to adhere to certain regulations.” I agree and after I discussed data breaches a couple of weeks ago it is clear we could be doing a better job keeping the bad guys at bay. The numbers are staggering.
Barry’s comment suggests that this topic has been on the AICPA’s radar for a while. Maybe technology suppliers will be required to supply a SOC 2 contractually — or some new report that is created as a part of the AICPA’s Cybersecurity Risk Management Initiative. Either way, it would be an easy way to secure future income for the profession and keep our skills relevant. However, I’m not totally sure it directly relates to accounting. Why did we take the CPA exam again?
In reality, are CPAs the right people to jump in as cybersecurity experts? Yes, it’s a good idea to beef up our resources and develop a more uniform product offering to protect the CPA brand. However, it could mean that CPA firms will need to bring in some non-CPAs to fill the knowledge weaknesses.
According to the AICPA:
Currently, CPAs provide cybersecurity examination services under a variety of generally accepted professional standards and approaches. However, the AICPA believes adoption of a more consistent profession and market-wide approach for CPAs to examine and report on an entity’s cybersecurity measures would address the informational needs of a broad range of users. Further, it would introduce a level of consistency that does not exist at present in the context of cybersecurity reporting and related assurance.
Changes to wrap your head around
Two exposure drafts = two major changes, namely:
- The “AICPA is developing a new engagement that CPAs can perform to assist stakeholders as they evaluate and oversee the effectiveness of their organization’s cybersecurity risk management programs” per the Center for Audit Quality. In practice, the SOC 2 engagement wasn’t quite fitting the bill to placate clients’ technology worries; so, it’s a good idea for the AICPA to draw up something better.
- And, if adding a new engagement category weren’t enough, the SOC 2 is getting some AICPA love too. The Trust Services Control criteria are getting a makeover to more closely align with COSO Internal Control—Integrated Framework. This reboot including renaming and reorganizing to make it less confusing. For example, the five principles (security, availability, processing integrity, confidentiality, and privacy) will no longer be “principles” but will live on as trust services “categories” going forward since COSO already claimed the word “principles” with a different meaning.
It’s high time CPAs take the time to doll up the cybersecurity product offerings. It’s a huge market and clients are begging for it, according to a 2015 CGMA survey cited in the JoA. The survey found 95% of clients “are concerned with the threat of database breaches, distributed denial of service (DDoS) attacks, phishing scams, and other cyberattacks.”
A new engagement to fill the gaps where the SOC 2 is lacking will help. Plus, who knows, maybe the tweaks to the SOC 2 will be just what the doctor ordered to keep the report relevant and worth the company’s expense.
What do you think? Should we just scrap the SOC 2 all together and start over? Is the new cybersecurity examination a step in the right direction or are CPAs overdoing it?
Oh, and if you are really excited about this topic — the comment period for the AICPA’s exposure drafts ends on December 5, 2016.