Posted in: Advisory, Audit,

SOC Services – The Time Is Now

I’ve talked in the past about trending services, and system and organization controls (SOC) reporting is near the top—or at the top—of that list. SOC reporting is a great way to expand assurance services for mid-size firms. Large firms are all in this business, and at Allinial Global we have our fair share of firms that excel at SOC engagements.

While I was at the AICPA, I was involved in strategic discussions as the move from SAS 70 to SOC took place. The issue at the time was that many companies, especially in the tech arena, were using SAS 70 incorrectly and something needed to change. Those who do EBP audits (as I did in my day) were very familiar with obtaining a SAS 70 report to provide assurance over controls over financial reporting for third-party providers. That has now become SOC 1. For those who needed assurance over controls and security, generally, that’s where SOC 2 and 3 come in.

I don’t want this to turn into a technical session on SOC, so that’s as far as I will go. But I do want to highlight some of the opportunities in this space. Recently, I sat down with members at two of our mid-size firms to talk about SOC reporting. Jim McGough is a CPA, CGMA with Wolf & Company in Boston. He grew up in the traditional audit space and is now part of Wolf’s SOC team. Pete Rife is a CISA, CISSP, and Director of IT Audit at Holbrook & Manter in Ohio. Jim, Pete, and I had some excellent conversation around opportunities and challenges in providing SOC engagements.

Opportunities and Challenges

Many current opportunities are focused in the financial institutions, healthcare, and technology sectors. Both Wolf and Holbrook & Manter are involved in SOC engagements in these industries. But it’s not just about the SOC engagement; many companies are asking for HITRUST, PCI compliance, and other certifications to be included. For international companies, an ISO 27001 engagement will be included in the SOC engagement. While US-based companies may be getting the ISO 27001 along with the SOC certification, there are technology companies outside the US who are now looking to add SOC to their ISO 27001 engagement. Having a team that can provide multiple certifications is important.

One common challenge in the SOC world has been finding talent. Of course, talent is an issue for many of our service lines. We are working to push outsource capabilities and finding capacity and capabilities from other firms, as some industries have different busy seasons. For outsourcing, KNAV, MGC Global Risk Advisory, and Ashok Maheshwary & Associates all have opportunities for current SOC providers to expand their services.

Building a Foundation for the Future

What if you don’t currently provide SOC services? Well, our members who do provide the service are happy to help. Both Pete and Jim mentioned that they have helped other Allinial Global members who called when a client opportunity arose, assisting in a variety of ways. Some firms will just let the SOC firm deal directly with the client. Other firms have hired Jim or Pete’s firm to serve as subject matter experts, with the client firm providing the final opinion.

A great way to get started is to have one or two staff members get the SOC certificate, sell the work with the SOC firm as the lead, and use the client firm’s staff to assist and learn. Then after 5–10 engagements, the client firm will have experience to grow the practice.

I also asked Jim and Pete about future opportunities. SOC for cyber and SOC for supply chain are two newer lines of opportunity. Both Jim and Pete stated that as of right now they haven’t had many requests for either, but they could see the opportunity. The Department of Defense, for example, has released the Cyber Maturity Model Certification (CMMC), which they will require DoD vendors to obtain. More and more businesses are asking for SOC reports as part of due diligence in working with their company. SOC is clearly an area of growing need, and we want to ensure that Allinial Global member firms can identify the right opportunities—and remember that there are so many ways we can collaborate.

If you have any questions about SOC and how to start, outsource, or grow, please reach out to me. I am passionate about this and want to see Allinial Global firms truly take the lead in this sector.