Okay, it's time to address a sensitive subject. In my post, "So Many Security Standards, Audits, and Certifications..." I laid out the reasons why I think CPAs need security professionals, and vice versa. It is a tough subject because no one likes to hear that they are not capable of doing something, and I am no exception.
Back in 2004, I was hired to "in-source" a previously outsourced IT function in hopes of saving the company money. The project included everything from purchasing and setting up new equipment to bringing on additional staff. The company ran SAP at the time, and part of my job was going to be managing SAP after the project was completed. When I was hired, I told the hiring manager that I had no experience managing SAP implementations, but that I had plenty of experience with ERP systems, so I should be able to handle it with some training and whatever documentation that was available.
Well needless to say, I overestimated my ability to OJT SAP, and quickly learned after my $7,000, one week BASIS training class that you can't pick up SAP overnight.
My point is this...sometimes we fail to see that we don't know what we don't know. I consider myself an IT generalist even with over 15 years experience in the IT industry. The fact is that the minute we step away from hands on "doing", our knowledge becomes obsolete.
There is nothing that changes faster than technology, and if you are not ahead of it, you are ancient history. Within the category of technology, security is at the forefront of rapid change, and there is nothing more critical to ensure that we understand as auditors.
CPAs, here's the stark reality: Security professionals laugh at you behind your backs when you ask for and accept "kick to the tires" level evidence when doing so-called security audits.
Security professionals, don't get too comfortable: CPAs laugh at your so-called "certifications", and wonder why people accept your point-in-time assurance as evidence that your environment is secure.
There, I said it. It needed to be said, and you can get mad at me for saying it if you would like, but it is true.
If we are not careful though, SOC2 will become a kick to the tires just like SAS70 was. I have already been met with resistance from CPAs who think they can do it all just like I did back in 2004. Will they have the good sense to realize that they are wrong like I did? On the opposite side, will security professionals see that CPAs bring their understanding of audit methodology and documentation to the security assurance space where it is lacking today?