With organizations outsourcing more business processes to third parties, the challenges of protecting computer systems and networks from information disclosure, theft, or damage are becoming more critical than ever. Your firm — as trusted business advisers — may be able to help clients manage these risks.
Kicking around third-party risks
Most businesses depend on outside third parties for a range of tasks that may include security and financial reporting — but using third parties can increase security and privacy risks. With the technological landscape changing daily, that dependence is only becoming deeper and more complex, making performance testing essential.
Just as businesses look to third parties to perform in a manner they can trust, they also look to CPAs as trusted advisers to test third-party performance. The testing may extend beyond security or financial reporting and may involve areas such as privacy, availability, and confidentiality as well.
That’s where system and organization controls (SOC) come into play.
Let’s play SOC-er
SOC refers to certain checks CPA firms may provide to help organizations manage risks. SOC services focus on examining and reporting on aspects of organizations’ system processes and controls. Two SOC services are most common.
SOC 1® — SOC for Service Organizations: ICFR: A SOC 1 report is designed to help organizations manage risks related to users’ internal control over financial reporting. It includes a description of a service organization’s system and an evaluation of whether controls were suitably designed and operated effectively to achieve the organization’s objectives.
SOC 2® — SOC for Service Organizations: Trust Services Criteria: A SOC 2 report helps organizations manage risks related to security, availability, processing integrity, confidentiality or privacy.
Giving SOC a shot
A 2020 survey of CPA firms indicated that the demand for SOC services was growing. The number of SOC 2 engagements increased by almost 50% from the previous two years.
Firms need personnel with certain skills and competencies (for instance, around IT systems and risks and controls) to perform SOC services. The revenue opportunities from providing SOC services in this growing market area may offset the costs of upskilling staff, hiring qualified personnel, or networking with firms that already provide these services.
Being skilled for this ever-changing team is and will be a firm and career differentiator.
Meet your goals at the SOC & Third-Party Risk Management Conference
If you’re ready to get in the game and become a trusted adviser for your team, consider learning more about SOC at AICPA & CIMA’s inaugural SOC & Third-Party Risk Management Conference.
There are two tracks for you in this conference: track one teaches you how to be a SOC-er player, and track two gets you the inside scoop on running the plays for SOC and risk-management work and upskilling your team. If you’re not sure which track to follow or even if SOC is right for your firm, the session “Setting Up a SOC Practice” will discuss considerations when deciding whether your firm should enter this new market.
The conference will be held virtually May 3–4, and registration is open.