What is the Value Proposition of Knowing My Son's Password?

There was a comment posted yesterday on a LinkedIn discussion group that I follow.  An individual asked the group how to respond to a service organization prospect that wanted to know what the "value proposition" of a SOC 2 report is.  This is a situation that I'm sure a lot of service auditors find themselves in when dealing with service organizations who do not understand what risk assurance is.

The situation also got me thinking...What is the value proposition of my son giving me his password?  If you ask him, he will tell you that there is no value in giving me his password.  If you ask me, there is plenty of value there.

The fact is, he thinks I should trust him implicitly even though he knows there are good reasons why I do not.  I would not be a good parent if I did not exercise judicious parental controls.  I have a vested interest in the outcome of my son's upbringing.  If he ends up in jail because of my poor parenting, who is the first person that he's going to call to bail him out?  My "right to audit" his laptop, cell phone, or whatever else protects my interest not his.

Answering a service organization's question about the value proposition of a SOC2 report is like trying to explain the value proposition of parental control to my son.  Risk assurance does not need a value proposition because it is valuable in itself.  It is valuable to customers of service organizations.  It is completely useless to service organizations themselves.  Service organizations that do not understand the implicit value of risk assurance think customers should trust them, just like my son thinks I should just trust him.


  1. But there is value to the organisation.

    It may/will save them from having all their customers doing an audit. :)

    The problem is that even if you have SOC2 (or ISOxyz) big customers will still audit you (but probably less then if you don't have something in place.

    It's more like you checking the credentials of the teacher that teaches your son math. You probably don't because you assume/checked that school has done that.
    So the teacher does not get hassled by 300 parents if he/she is qualified.

  2. Franc, Thank you very much for your comment. I agree with you. That is the sole value that should be expected by management from third party assurance, and that is how I replied in the LinkedIn forum, but the individual indicated that their client wanted more than that. You can see the conversation here: http://linkd.in/JvAHAC