The post “SOC 2 Compliance: Q&A with an Audit Expert – Liam Collins” features edited excerpts from Liam’s appearance in the inaugural episode of Trustero’s “Everything Compliance” video series. Below are some additional questions, answers, and recommendations from that interview.
Compliance reports are supposed to document a company’s compliance efforts and results, but there can be a wide variance in SOC 2 compliance reports. So what questions should compliance decision-makers ask to ensure their reports pass muster with their customers and business partners?
For the client, it’s really about thinking through who’s doing the work. Have they done it before? Is it an accredited firm? Do they know what they’re doing? Have they done this with other companies of a similar size, scale, scope, et cetera? Do they have CPAs signing off that are conversant in the requirements of a SOC 2 audit? Is it covering all the required elements of an actual SOC 2 report?
We’ve also seen reports coming from non-CPA firms which have been rejected, which then causes companies to have the work redone and end up paying twice for the same scope of work.
Are there particular report elements to which compliance decision-makers should pay particular attention?
The key elements to pay attention to would include the scope of the report to ensure that the report does indeed cover the system and services being performed for you by your vendor. The nature of the auditor’s opinion is also key, whether the report is unqualified or qualified. There is also a list of complementary user entity controls which outline controls that the reader’s company should have in place to complement the vendor’s controls. The other areas, such as the table of controls, are also important but tend to be reviewed relatively quickly by compliance decision-makers.
Cybersecurity is a serious concern at every company. So how do the pursuits of SOC 2 compliance and effective cybersecurity intersect today?
Compliance is not security, and a SOC 2 audit is still very much a point in time exercise. While Compliance has taken a new severity level, especially where VCs are coming in and looking at investments, we see a shift to more continuous security monitoring at more mature organizations. We think of SOC 2 as an excellent framework to leverage when building a security program, but we urge our clients to mature beyond SOC 2 to more proactive security management.
Co-Lead of Armanino’s Trust Practice
Liam has over 20 years of assurance and consulting experience, including ten years with Big Four firms. He leads the firm’s Risk Assurance and Advisory Services practice, including its Cybersecurity, Privacy, Service Organization Control (SOC) audit, HITRUST, ISO27001, Sarbanes-Oxley (SOX), Internal Audit, and IT Compliance service lines. Before joining Armanino, Liam served as a Managing Director at KPMG, where he was an engagement Partner on a number of large assurance and consulting projects. He has also held audit, assurance, and IT leadership roles at PricewaterhouseCoopers (PwC), ControlMetric, Clare Chapman, and Prodapt.
Liam is a member of the American Institute of CPAs and the Information Systems Audit and Control Association (ISACA). He received a BSc. In Accounting from Golden Gate University, a JD from the University of San Francisco School of Law, and an MBA from the Wharton School at the University of Pennsylvania.
Armanino LLP is one of the nation’s 25 largest independent accounting and business consulting firms. Armanino provides an integrated set of audit, tax, business management, consulting, and technology solutions to companies in the U.S. and globally. The firm helps clients adapt and change in every stage of business, from startup through rapid growth to the sale of a company. Armanino emphasizes smart technology, leading a cloud revolution of financial, operational, sales, and compliance tools that transform the way companies do business.