Petition for the Adoption of the DoRS Approach to Determining ICFR
One of the challenges that face auditors of service organizations when conducting SOC1 (aka SSAE16) engagements is determining when a control is "reasonable in the circumstances." What that means, according to the SSAE 16 attestation standard, is that a control must have relevance to Internal Controls Over Financial Reporting (ICFR) for it to be included in a SOC1 report.
Without an objective approach to determining what an Internal Control Over Financial Reporting is, service organizations will continue to misuse SOC 1 (SSAE 16) reports. Details of the DoRS approach can be found here.
Many of the service organizations I speak with are frustrated with the lack of clarity around SOC reports and they do not want to be put at a competitive disadvantage by paying more for a SOC 2 report when their competitors are allowed to keep things as they were under SAS 70.
I have also spoken with service organizations on the opposite side that hope SOC 2 fails. They are more than happy to undergo a SOC 1 engagement because of the low cost and high likelihood of passing. They are actually hoping that their customers will continue to ask for a SOC 1 thinking that it addresses their security concerns.
Please consider signing this petition, and passing it along to anyone who might be concerned about the direction that service organization control reports are heading.
Jon Long, CISA, QSA
Posted by Jon Long