Last week I blogged about how the market does not seem to place value in names and reputations of service auditors when it comes to Service Organization Controls (SOC) Reports in my post titled "What is the Value of a Good Name."
This is demonstrated in the market by the fact that small boutique CPA firms are included in RFP distribution lists along side of Top 10 CPA firms, and are even winning engagements over Top 10 CPA firms. These firms, who had to stop using the names of their firms, that became irrelevant when SAS 70 was replaced by SOC reports last year, have attractive audit fees, but they do not have as much to lose as the larger firms.
Larger CPA firms that, in some cases, have reputations spanning over 100 years do not roll the dice on attestation engagements that risk damaging their names. They make sure that audits are performed with sufficient care to mitigate that risk, and that care translates to more time spent conducting the audit. More time translates to higher cost. Higher cost means higher audit fees.
So I got to thinking, "How can we change this?" I mean, as long as user organizations see no difference between reports signed by small boutique CPA firms and reports from Top 100 or even Top 10 CPA firms, then what's the use? Why should Top 100 CPA firms even bother risking their reputations on SOC reports?
There needs to be a Global Registry of Service Organizations similar to Visa's Global Registry of Service Providers that lists service organizations along with their auditor, and the date of their attestation. The transparency that such a list provides will distinguish the service organizations that used larger CPA firms from those who used small boutique CPA firms.
Service organizations that make the extra investment to secure a report from Top 100 CPA firms may be in a more competitive position in the market as compared with those who do not. An additional benefit to creating this registry will be the ability to cross reference against DataLossDB.org to see who the service auditor was when companies are breached. Service auditors with good track records can be rewarded, and those with bad ones can be replaced.
I think that this registry will need to be ultimately created and kept by an independent organization such as the AICPA, or incorporated in registries such as the Cloud Security Alliance's CSTAR, but I also realize that these things take time. So to get the ball rolling in the meantime, I have added a page to my blog called "Who's Who."
This registry can be populated by anyone, so whether you are a service auditor, service organization, or a user entity, please feel free to enter the information as it is available to you. I am going to be entering every piece of information that I come across as well, so this could end up being a pretty decent list. I will compile the information, and refresh the list periodically.
Together we can change the risk assurance industry. Let's go for it!