A Good, but Disappointing Whitepaper on SOC Reports

Last week I reviewed a recently published whitepaper on SOC reports, authored by Sandy Torchia and Mark Lundin.  I applaud them on the amount of work they obviously poured into providing this guidance and could speak at length about the positive aspects of every page, but I have two major things against it.

First, I think they missed their chance to take a stand against service organizations and service auditors using SOC 1 reports incorrectly when they included this sentence on page 5 (Actually page 7 if you include the cover pages):

"A SOC 1 report generally should not cover services or control domains that are not relevant to users  from an ICOFR perspective, and it specifically cannot cover topics such as disaster recovery and privacy."

The word "generally" leaves the door wide open for anyone who wants to make the case that they are the exception and the words "should not" imply there is no definitive rule.  The AICPA has been clear on this.  SOC 1 is for ICFR, and SOC 2 is for non-ICFR.  There are no maybe's about it.  No wonder the market is so confused.

Second, they missed the opportunity to set themselves apart from those who ignored the changes in the standards in year one by including this disclaimer on page 4 (Actually page 6):

"*Note: In certain cases, a SOC 1 report might cover supporting IT controls only, depending on the nature of services provided."

Almost every word in this sentence is ambiguous.  If I were a service organization or a service auditor looking to keep things exactly the way they were under SAS 70, I would find huge comfort in this note.  The biggest problem is that "supporting IT controls" can be defined however I want.  The only real test is that the controls be "reasonable in the circumstances", according to the standard that SOC 1 is based on; SSAE16 (AT-801).

Change does not happen when people who do not want to change are given options to stick with the status quo.

Who's Who - Changing the Risk Assurance Industry Together

Last week I blogged about how the market does not seem to place value in names and reputations of service auditors when it comes to Service Organization Controls (SOC) Reports in my post titled "What is the Value of a Good Name."

This is demonstrated in the market by the fact that small boutique CPA firms are included in RFP distribution lists along side of Top 10 CPA firms, and are even winning engagements over Top 10 CPA firms.  These firms, who had to stop using the names of their firms, that became irrelevant when SAS 70 was replaced by SOC reports last year, have attractive audit fees, but they do not have as much to lose as the larger firms.

Larger CPA firms that, in some cases, have reputations spanning over 100 years do not roll the dice on attestation engagements that risk damaging their names.  They make sure that audits are performed with sufficient care to mitigate that risk, and that care translates to more time spent conducting the audit.  More time translates to higher cost.  Higher cost means higher audit fees.

So I got to thinking, "How can we change this?"  I mean, as long as user organizations see no difference between reports signed by small boutique CPA firms and reports from Top 100 or even Top 10 CPA firms, then what's the use?  Why should Top 100 CPA firms even bother risking their reputations on SOC reports?

There needs to be a Global Registry of Service Organizations similar to Visa's Global Registry of Service Providers that lists service organizations along with their auditor, and the date of their attestation.  The transparency that such a list provides will distinguish the service organizations that used larger CPA firms from those who used small boutique CPA firms.

Service organizations that make the extra investment to secure a report from Top 100 CPA firms may be in a more competitive position in the market as compared with those who do not.  An additional benefit to creating this registry will be the ability to cross reference against DataLossDB.org to see who the service auditor was when companies are breached.  Service auditors with good track records can be rewarded, and those with bad ones can be replaced.

I think that this registry will need to be ultimately created and kept by an independent organization such as the AICPA, or incorporated in registries such as the Cloud Security Alliance's CSTAR, but I also realize that these things take time.  So to get the ball rolling in the meantime, I have added a page to my blog called "Who's Who."

This registry can be populated by anyone, so whether you are a service auditor, service organization, or a user entity, please feel free to enter the information as it is available to you.  I am going to be entering every piece of information that I come across as well, so this could end up being a pretty decent list.  I will compile the information, and refresh the list periodically.

Together we can change the risk assurance industry.  Let's go for it!

What is the Value of a Good Name?

Quick, what is the first thing you think of when you hear the name "Arthur Andersen?" I am not going to get into the details of the Enron scandal, but if you are like me, you associate Arthur Andersen and the firm's demise with Enron.

Having a Good Name

I looked Arthur Andersen up on Wikipedia, and learned a little about who the founder of this CPA firm was. According to Wikipedia: "Andersen, who headed the firm until his death in 1947, was a zealous supporter of high standards in the accounting industry. A stickler for honesty, he argued that accountants' responsibility was to investors, not their clients' management. During the early years, it is reputed that Andersen was approached by an executive from a local rail utility to sign off on accounts containing flawed accounting, or else face the loss of a major client. Andersen refused in no uncertain terms, replying that there was "not enough money in the city of Chicago" to make him do it. Leonard Spacek, who succeeded Andersen at the founder's death, continued this emphasis on honesty. For many years, Andersen's motto was "Think straight, talk straight."

So how did such an honest man's name get tarnished to the extent that his legacy, a Big 5 CPA firm, had to go out of business a few decades after his death? All it took was the association of his name with dishonest people. 9.3 billion dollars per year was the value of having a good name to the formerly respectable CPA firm Arthur Andersen. Based on this example and others that history has given us, it is safe to conclude that having a good name is equal to the value of an auditor's very existence in the industry...or is it? What happens when honesty, integrity, and reputation is not valued in the market?

Relying on a Good Name

Yesterday, I found myself explaining why a prospect should choose one CPA firm over another for their SOC engagement. When I explained to them that the value of one CPA firm over another boils down to the reliability of the name on the report, they asked me if anyone really cares about that. I replied that if that if no one cares, then it almost makes sense to go with the absolute lowest price that you can obtain the SOC report for. The only problem is that the auditor I select to provide assurance about me is a reflection of my own integrity. Please let me explain.

A couple of months ago, Ernst & Young was selected to be Facebook's auditor. Why would Facebook select Ernst & Young over some small, unknown, boutique CPA firm that specializes in auditing financial statements of social media companies? Well, it is obvious at that level. Facebook's IPO could be worth 100 billion dollars, and they want to inspire the most confidence that their accounting is accurate. How does that translate down to the level of this prospect though? Even if they could afford the audit fees, Ernst & Young would probably not even accept this prospect as a client for being too small.

This is where strong, reputable, regional CPA firms come in. For example, in Texas, one of the CPA firms I work with is Whitley Penn who has been listed on the “Best of the Best” list of INSIDE Public Accounting's rankings of the top 100 accounting firms in the U.S., for ten of the last eleven years. They have offices in Dallas, Fort Worth and Houston, 36 partners, 280 employees, and a worldwide network affiliation via Nexia International. Most of the CPA firms I work with are on the Top 100 list.

Contrast the recognized reputation of Whitley Penn with several boutique CPA firms that I know of, who stopped using the previous names of their firms when the SAS 70 standard was replaced by SOC reports last year. Their previous name being no longer relevant, they started or resumed doing business under different names, and yet they still appear next to credible CPA firms in RFP distribution lists?!

I recently heard from a Top 10 CPA firm that they lost a SOC engagement opportunity to one of these boutique CPA firms. When Top 10 CPA firms lose audit engagements to small boutique CPA firms that specialize in providing SOC reports, there is a major problem in the market.  If I selected a boutique CPA firm over a Top 10 CPA firm, I would not blame anyone for considering me the anti-Facebook in terms of caring what people think about my auditor. If I did this, it would demonstrate to others that I place no value whatsoever in a good name, and perhaps it is a reflection my integrity.

In selecting a service auditor, or a service provider for that matter, I would ask myself one simple question; "What does the firm stand to lose if my data is compromised, and their firm's reputation is called into question along with mine?" Do you want a firm that has little to lose, or one who has much to lose. I guarantee you that the firm with the most to lose will be the most thorough in their examination of your internal controls. Perhaps that is where the issue is though. Much like the railroad utility executive's attitude toward the young Arthur Andersen, maybe companies want their auditors to look the other way.

It's time we take a stand against cheap risk assurance, and start relying on CPA firms with good names again in the risk assurance industry.

SOC 2 - The Customer Security Questionnaire Killer

Last week, I had a conversation with the Founder and CTO of Tripwire, @RealGeneKim on Twitter.  Gene was lamenting the fact that each of his bank customers hands them a 300 question security survey to complete in order to prove that they are secure.  He said that they answered 1,000 of these in 2011 alone.  

I popped in on his timeline and said that a SOC2 engagement, and subsequent report could help reduce or eliminate those surveys.  He said he loved it because,"300q surveys are like Distributed Denial of Service (DDoS) attacks on suppliers."

This is a widespread issue facing CISOs and CTOs.  In fact, a CEO (@ebellis), and Chief Security Architect (@mortman) at two well-known companies also joined in the conversation and confirmed the headaches and resource drain these surveys cause.

This is just one of the opportunities that SOC 2 reports present to service providers and service auditors.  The reason these survey exist is that security professionals know that SAS70, and SSAE16 are unreliable indicators of an organization's security posture.  User organizations figured out a long time ago that if they want confirmation of how secure their suppliers are, they have to find out for themselves because a sufficient third party attestation did not exist. 

This is also where the challenge to service auditors is though.  In order to replace customer security surveys and customers exercising their "right to audit", the SOC 2 engagement and resulting report needs to be at least as thorough as customer surveys.  That's not all though...there's some disturbing news.  

In dialoguing back and forth with @ebellis and @mortman, it became apparent to me that they would prefer a kick to the tires level of an audit like SAS70 or SSAE16, and live with the security surveys.  That's a huge problem for service auditors.  Why might this be the case?  We went back and forth about stricter audits not being the answer, and talked about the transparency CloudAudit provides, but here's my analysis.  Service auditors have a lot of work to do to earn the trust of security professionals. To quote @mortman, "Why trust auditors more than vendors?"  This problem also manifested in a SOC 2 audit clause that I blogged about in my post titled, "Do You Trust Your Service Provider's Auditor?"  

This is an extremely damning statement that should be taken seriously by service auditors.  How in the world did we get to the place where auditors are not trusted?  I can tell you how I think it could have happened.  Could it be that conflict of interest has established a foothold in the risk assurance industry?  Please see my posts on the topic titled: "Conflict of Interest is the Root of Cheap Risk Assurance" and "What is the Value Proposition of Knowing My Son's Password?"

All of that being said, I still firmly believe that SOC 2 presents an opportunity for service auditors to win  the trust of security professionals and help them reduce or eliminate the workload that answering customer surveys places on their daily lives.  Hopefully we will help them increase their productivity, and contribute to increasing their bottom lines.  

The formula for trust is when expertise intersects with intent.  If auditors do a good job of matching security expertise with the service organization's intent of answering their customer's security questions, we will establish trust.  Service auditors and security professionals will not get there, however, with a business as usual approach, and a "we can do it all" mentalilty as I discussed in my post title, "Don't Worry, I've Got This."

Upload a security questionnaire from your customers, and if you already have a SOC 2 report through one of our CPA firm partners, we'll map it to your SOC 2 controls for you.  If you have not had a SOC 2 engagement, we will map it to the Trust Services Principles and Criteria for you.  Just leave your contact information in the comments field.

    UPDATE from Gene Kim

SOC1 (SSAE16) is the King of a Very Small Hill

Yesterday, there was a post on Data Center Knowledge titled "Why SOC 1/SSAE 16 is Still the King of the Hill."  The post celebrated the fact that data centers chose SOC 1 over SOC 2 in the first 12 months since the launch of SOC reports.  This really perplexes me, because my firm belief is that the market missed a huge opportunity by going with the status quo in year 1 of SOC reports.  So I asked myself, why would someone celebrate when there is no cause for celebration?  Perhaps people do not see how small the hill, that the SOC 1 King sits on, is.

I'm not sure if everyone is aware or not, but the cloud wars have begun, and companies are racing to the cloud.  The AICPA understood this seismic shift, and the need for risk assurance other than the product that had been criticized by the Gartner Report as follows:

So in a climate where data centers are competing fiercely to win the business of SaaS customers, what happened after the launch of SOC reports?  Everyone rushed out to get their SOC 2 report, the one that the AICPA said is the right report for cloud security...right?

Not exactly.  Everyone decided to sit tight and embrace the status quo (please see a partial list of companies that selected SOC 1 over SOC 2 here).  The market heard "SSAE 16 replaces SAS 70", and promptly went out and received their SAS 70 replacing SSAE 16 report.  I would think that CPAs would be extremely disappointed about this rather than calling for a celebration of the SOC 1 King.

There are some majestic mountains right in front of us, and a King of the Mountain of cloud security has not been crowned yet.  If CPAs do not want to expand their dominion beyond assurance related to internal controls over financial reporting (ICFR), perhaps there is another that can adapt the SOC 2 audit methodology, and establish themselves as King of the Mountain.