Key traits to look for when choosing a SOC auditor
Organizations today understand that outsourcing functions to service providers, such as a software-as-a-service, does not transfer all the risk to the service provider. Sophisticated organizations have robust vendor risk management practices, which often include requesting System and Organization Controls (SOC) reports from service providers that handle sensitive data, provide critical technology services, or process financial transactions.
SOC reports are often requested because they provide a standardized yet flexible approach for service providers to convey audited information about their control environment. That flexibility gives service providers the opportunity to provide the detailed and quality report their customers require. Poor quality SOC reports are easily spotted and are often rejected by sophisticated customers and their auditors. Therefore, when selecting a SOC auditor, it’s crucial to consider not just the cost but also the quality and depth of the audit.
Service organizations should select a SOC auditor that will perform robust testing and produce a quality report. Although a SOC auditor cannot perform management functions, a client-focused and experienced SOC auditor will also provide recommendations that can improve the quality of your report, identify operational efficiencies, and improve security.
How to identify the right fit
The following are some of the characteristics of a client-focused SOC auditor and the questions you should ask of prospective SOC auditors:
-
Quality is a priority
Many companies experience a variety of pressures that can impair the quality of an audit, such as budget and time constraints. While fast, budget-friendly SOC audits may seem attractive, they often come at a hidden cost: compromised quality. These cut-rate reports frequently bear the hallmarks of a ‘one-size-fits-all’ approach, lacking the depth and specificity that a thorough SOC report should provide.
Instead of offering detailed insights tailored to your company’s unique processes and controls, these reports often rely on generic, boilerplate language that adds little value. The result is a document that, at best, may check the compliance box but fails to deliver meaningful assurance or actionable insights to stakeholders. In essence, you and your customers are left with a superficial veneer of assurance rather than a robust evaluation of your control environment.
Ask your prospective auditor: How do you help your customers ensure their SOC audit reports provide a comprehensive, tailored description and assessment of their specific control environment rather than relying on generic, templated language?
-
Insights and opportunities are actionable
SOC auditors have the privilege of observing the operations of many businesses. Overtime they amass deep knowledge of what works well and what doesn’t. High-quality SOC audits do more than just provide assurances on a company’s internal controls. Unlike cheaper, expedited reports, a top-tier audit delivers practical observations and recommendations that can genuinely improve your processes. SOC auditors who hold back these insights are doing a disservice to their clients.
Ask your prospective auditor: How do your auditors provide best practice feedback to your team members, and what are some examples of how they’ve provided this feedback to other clients?
Any SOC auditor that prioritizes quality and their client’s success will be able to provide extensive examples and speak to you at length about how their processes and teams support these objectives. The case study below is just one example of how Keiter recently helped a client in just one of the above areas.
Case Study: Enhancing Efficiency Through Third-Party Device Management Software
Background
A client approached us with a user access review control that required an employee to log into many individual servers to generate the user reports used in their review. During our walkthroughs, it became clear that this process was both time-consuming and highly manual.
Challenge
While we noted the control was properly designed and operated effectively, it required the control owner to log into dozens of servers to manually run scripts that generated lists of local user accounts. These results then had to be manually combined. Their process worked, but it required significant time and would not scale as the company grew.
Solution
We offered insights that would streamline this control process without introducing new tools or adding more manual steps. During a walkthrough of a different control, we noted that the client used a third-party patch management software. Given our experience with similar tools, we suspected the manual process could be automated and researched the software’s functionalities. We found that it could execute the scripts that generate the lists of users across on all servers and compile the output into a single file with a single click. We presented this recommendation to our client. They validated that the same function worked as expected in their environment, and they implemented the change in their process. This generated substantial time savings and reduced the potential for a control failure by eliminating hours of mundane, error prone manual activity.
Results
This case highlights the importance of looking beyond basic audit requirements to identify opportunities for enhancing efficiency and effectiveness. In
performing this audit, we not only provided a high-quality audit report which satisfied the assurance needs of their customers, but we also provided a valuable, time-saving recommendation that improved their control processes.
At Keiter Technologies, our mission is to deliver high-quality, comprehensive SOC audit reports that meet regulatory standards while offering actionable recommendations for continuous improvement. Our dedication to excellence ensures that our clients receive exceptional service, helping them enhance their operations and demonstrate their security and business objectives.
Contact our team today to learn how we can help your business with its SOC audit needs. Email or call 804.747.0000.
About the Author
Steven has experience delivering SOC examinations, information technology audits, Sarbanes-Oxley audits, and a diverse range of cybersecurity services to clients across various industries, including software as a service, financial services, utilities, and managed service providers (MSPs).
Steven possesses a robust blend of IT expertise, spanning IT audits, cybersecurity risk assessments, and system administration best practices allowing him to effectively collaborate with clients to enhance efficiency through remote monitoring and management tools, streamlining reporting processes and system configurations.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
