CPAs and Automation in SOC 2 and IT Auditsby
Automation is here, and it’s having an impact on IT and SOC 2 audits. To embrace automation, and the tools that facilitate it, are the key.
The traditional way of doing IT and SOC 2 audits is going away, and it’s happening really fast, but that doesn’t mean CPA firms can’t adapt and enhance their practices, deliverables and value. Below are some tips on what’s happening and how CPAs can indeed embrace it.
What’s Going on Out There
SOC 2 reports have been on the rise the last few years. However, over the past 12 to 18 months, the rise has been exponential as companies shift to more remote work and embrace the cloud. That, along with an increase in security breaches, supply chain and vendor issues, and other cybersecurity incidents, have led to a greater demand for SOC 2 and other cyber reporting.
The demand is moving beyond large companies too. Small and medium-size enterprises, startups, and others are not ignoring strong cybersecurity postures, security questionnaires, or IT audit requirements (like SOC 2) in their contracts.
While CPA firms have been building and developing their IT audit practices, a variety of SOC 2 (and other governance, risk, and compliance) tools have appeared on the scene. These tools sell directly to clients and service organizations promoting efficiency in audits.
Often, they will list CPA firms that they work with to help sell packages to potential customers. From this, clients have begun to expect lower costs and higher efficiencies from their tools and their CPA firms.
The result has been clients paying annual subscription licenses for the tool and then demanding lower pricing for their SOC 2 audits. Some CPA firms have become early adopters of automation, charging fees for SOC 2 engagements that did not previously seem possible. The shift at this point is inevitable: the market is what the market is. CPAs will have to adapt or get muscled out by those willing to adapt and charge less.
What Do These Tools Do?
Many of the SOC 2 and IT audit tools have similar functions, but each have different features that make them unique. The most significant commonality, though, is the ability to integrate into the various cloud applications that clients use to support their service.
A common example is integrating with the cloud service provider (CSP) that hosts the client’s application. The automated tool pulls information from the CSP about who has access to the CSP environment, what databases they use, and other information. The tool then reports on whether or not the client is meeting its controls for privileged access, environment changes, and more. The tool will also gather evidence to support the control reporting for CPAs to use as evidence to support their audit.
Some will also include policy generators, system description generators, security-specific controls, and other features that help the client solidify its environment, resulting in a better cybersecurity posture. There are a few tools that fall short because they leave the client with an impression that they will have accomplished an audit by using the tool.
Of course, CPAs understand collecting evidence is only part of the process. CPAs have a lot more work to do, and often it includes asking the client for more information, sample testing, and gathering other documentation to support a complete file. If you have a client using these tools (or thinking about using them), you need to gauge whether the evidence package will support your audit as is or if you need more information.
The client and the tool provider should be aware of your findings so all expectations are in line with how the engagement will pan out. Naturally, the automation tools affect engagement fees. Is the tool going to reduce your level of effort (and in turn save the client money) or are you just getting a folder of evidence that you would have gotten from providing a request-for-information list? If the latter happens, the client will be upset because they spent money on a tool that did not provide effort savings for the CPA, and now they paid for a tool and are still paying the same price for the audit.
What Can CPAs Do?
Some tools, however, can do much more. Integration and control reporting can show the CPA real data from the source about how a control is operating and if it was effective during an audit period or not. The key is that CPAs will have to think differently from the traditional methods of doing IT audits.
Consider change management as an example. Traditionally, the CPA would request a population of changes during the entire audit period. A sample section would be made, and then the client would provide evidence for each of the items sampled.
Those samples may lead to questions, which result in more back and forth, taking an estimated six to eight hours to complete the test. Using a tool that integrates properly, the client can enable branch protections for change management, which ultimately means that the change process must be followed; otherwise, the change will not go through to production. The CPA can look to see if the control configuration is correct and if the branch protections were enabled throughout the period. The same test now takes 30 to 60 minutes to complete.
This illustrates how understanding the technology and how it can support an audit can significantly reduce audit time. Moreover, it will allow CPAs to reduce the cost and pricing of the engagement, thus enabling them to compete in the market against those already adopting automation.
Here is what CPAs – as well as their clients – should look for in an automation tool:
- Does it allow clients to generate policies?
- Does it allow clients to create system descriptions?
- What applications does it integrate with?
- What are the controls that the tool uses to measure against criteria? (Do they use their own or do they adopt yours?)
- What is the evidence the tool provides to support an audit?
- Does it allow you as the auditor to log in and view the data yourself?
- What other functions in the tool can the client perform (which will provide you evidence in the tool)?
-Security group reviews?
The industry recognizes that these tools are being used more and more. They are changing the way SOC 2 and IT audits are being performed, but they have to be looked at for what they provide and how they can help both the client and the auditor. In the end, companies cannot complete a SOC 2 without an auditor, so make sure your clients use something that makes your audit stronger, more efficient, and smoother for all parties.
The original article appeared in the Summer edition of the Pennsylvania CPA Journal.