There was a comment posted yesterday on a LinkedIn discussion group that I follow. An individual asked the group how to respond to a service organization prospect that wanted to know what the "value proposition" of a SOC 2 report is. This is a situation that I'm sure a lot of service auditors find themselves in when dealing with service organizations who do not understand what risk assurance is.
The situation also got me thinking...What is the value proposition of my son giving me his password? If you ask him, he will tell you that there is no value in giving me his password. If you ask me, there is plenty of value there.
The fact is, he thinks I should trust him implicitly even though he knows there are good reasons why I do not. I would not be a good parent if I did not exercise judicious parental controls. I have a vested interest in the outcome of my son's upbringing. If he ends up in jail because of my poor parenting, who is the first person that he's going to call to bail him out? My "right to audit" his laptop, cell phone, or whatever else protects my interest not his.
Answering a service organization's question about the value proposition of a SOC2 report is like trying to explain the value proposition of parental control to my son. Risk assurance does not need a value proposition because it is valuable in itself. It is valuable to customers of service organizations. It is completely useless to service organizations themselves. Service organizations that do not understand the implicit value of risk assurance think customers should trust them, just like my son thinks I should just trust him.