The absolute craziest part of the compliance industry is that we have Certified Public Accountants (CPA’s) operating as the auditors for a SOC 2 attestation.

Don’t get me wrong, we love our auditing partners. Oneleet has scoured the globe to find some of the best auditors out there, who are not only accredited CPAs qualified to perform a SOC 2 audit by the AICPA, but actually understand the technical security evidence that goes into a SOC 2 report.

But the reality of the industry is that 99% of the CPAs who audit SOC 2 reports, have extremely little understanding of the security controls themselves.

So when we get the question “does it matter who audits your SOC 2 report?”

The answer is: kind of.

What even IS a “SOC 2 certification”?

To fully understand the importance of the CPA auditing the SOC 2 report, the first thing to understand is that SOC 2 isn’t a certification like ISO 27001 (the European standard for security controls).

SOC 2 is an attestation framework, where a company will attest to their security controls, and then that attestation is audited by a CPA for accuracy, then compiled into a SOC report.

TLDR: You can think of a SOC 2 report like having audited financial statements, but for your security controls.

One company might have a balance sheet that describes an organization making billions of dollars, while another company might also have a balance sheet that describes an organization losing billions of dollars.

Now ask yourself - how important is it “who was the CPA” that audited their financial statements?

It’s critical that the information is accurate. Absolutely. It’s MORE important what was actually in the financial statements.

What is actually in your SOC 2 report is going to matter drastically more than who was the CPA who performed the audit. Because SOC 2 is an attestation framework, not a certification, there is no real inherent value in simply “having a SOC 2 report”, it’s simply a framework to attest to the legitimacy of what you describe.

While the CPA is there to judge accuracy, you will eventually hand your SOC 2 report to a CISO or IT manager of a company you are trying to sell into or partner with, and it’s that security expert who is then going to make the value judgment of what is inside your SOC 2 report.

What needs to be in your SOC 2 report?

While SOC 2 lays out 5 Trust Services Criteria which can be used to evaluate reports on controls related to security, availability, processing integrity, confidentiality, and privacy within a service organization's controls - this is a flexible framework.

You can think of these as an outline of areas in which you can talk about the security controls your organization has in place, in which a CPA can then verify for accuracy.

The power of a SOC 2 report is that these 5 TSC’s are intentionally designed to be very flexible. They can easily scale from a small startup with 2 humans, to a giant organization with 1,000+ humans. They can be modified to transition between industries from finance, to healthcare, to legal tech, and beyond.

There are two really important concepts you need to think through when determining what should go into your SOC 2 controls.

1. What should I actually be doing, to provide real-world security for my organization.

2. What controls will need to be in place, so I can pass a security review?

The saddest thing in the world is when we see companies jumping through security theater hoops, usually as part of a templated SOC 2 program that’s simply being copied & pasted, and they are running around doing things that neither build real-world security OR are going to be helping that company pass a security review.

Anything that doesn’t serve one of these two objectives is a waste of your time, and doesn’t belong (or need to be) in your SOC 2 controls.

Knowing what needs to be in your SOC 2 controls is also a really critical piece of why it’s important to have some level of security expertise on your team before building out your program and attempting to obtain a SOC 2 report.

CISO’s within healthcare are going to care about different things than those within finance, which will be different from construction or government agencies. Hospital systems will be different from laboratories. Banks are going to be different from private equity.

The type of sensitive data your company is protecting is going to be different, the location of your employees (and associated geographical risks) will vary.

Sure, there are some general stuff you should be implementing. Collecting audit logs, setting up MFA, making sure you have employee owned devices, performing background checks.

But how you do these things, what versions you implement, and the overall scope of your program is going to vary a lot.

Make sure you don’t spend tens of thousands of dollars and go through this 4-6 month process of obtaining a SOC 2 type 2 report, without first making sure you have the right controls in your SOC 2 program that is going to optimize your revenue and allow you to pass security reviews with flying colors.

TLDR Summary: Putting it all together.

The only time we have seen the name of the auditor become a major issue, is if you’re dealing with an auditor that has a history of issuing shady or “cheap” SOC 2 reports (they push out reports with major errors), or if you’re specifically selling your product into a Big 4 Accounting Firm.

As long as you’re using a reputable CPA, one that’s in good standing, does a solid job, provides accurate information - you’re almost always good to go.

What’s going to matter drastically more than the name of the CPA is what’s actually in the SOC 2 report, and whether or not your list of controls describes an organization that is a digital fortress, or a cardboard box susceptible to threats.

Get a CPA that will do a good job, provide an accurate report, and hopefully understands the evidence they are auditing so you don’t have to hop on too many zoom calls trying to explain your technical infrastructure to a financial human who doesn’t have a background in security.