The AICPA has fallen down in maintaining quality for SOC 2 audits. They say they are doing “something,” but it is way too slow. Businesses will continue losing trust in SOC 2 every mediocre report they read.
ISACA, the Information Systems Audit and Control Association, is well-positioned to displace SOC 2 for their own auditing “standard.”
(ISACA is the professional security organization that issues CISAs and CISMs security certifications. AICPA is the organization that governs CPAs.)
Why SOC 2 Is Super Valuable (When It’s Done Right) Let’s start with the love.
Have you ever actually read a SOC 2 report? Most folks think it’s some shiny certification badge you slap on your website and call it a day.
Nope!
SOC 2 is an attestation – a detailed report from an auditor describing how your security program is designed and implemented. Where a certification is pass/fail, an attestation allows for flexibility and detail.
SOC 2’s flexibility is its secret sauce.
1. You can scope your whole company or just a sliver of it, like a single product line.
2. Pick your Trust Services Criteria: Security alone, or layer on Availability, Confidentiality, Processing Integrity, and/or Privacy.
3. Timeframes? Point-in-time snapshot or a full 3/6/12-month deep dive. (Though the deep dive is much preferred!)
It’s not one-size-fits-all like ISO 27001, which prescribes controls that may or may not fit you and then drowns you in paperwork.
SOC 2 is great for attestees; it lets them craft a program that actually makes sense for their business. It’s also great for customers and partners, since they get a detailed look at their custom cybersecurity program and how well they are following it.
The compliance framework is market-driven gold when it’s thorough and accurate.
But SOC 2 Has a Lot of Problems (And They’re Getting Worse) Now, the ugly truth: SOC 2 is broken.
The proliferation of cheap auditors is killing it.
These low-end firms promise SOC 2 success for peanuts: “save 60% or more!” They’re often bundled through your GRC software. But they’re rubber-stamping generic reports full of copy-pasted fluff.
The reports they churn out provide no value, no confidence, and no trust in the cybersecurity programs they’re supposed to attest to.
Like the diploma mills that sell degrees with no rigor, I like to think of these auditing firms as SOC 2 mills .
We’re hearing stories of major companies blacklisting reports from unreputable auditors. At what point do they ditch SOC 2 altogether?
SOC 2 took off for a reason – it’s an incredible framework!
But its popularity was market-driven, and it could get market-driven into irrelevancy if it doesn’t get the right quality fixes.
The AICPA needs to wake up; with AI, spotting crappy audits should be a slam dunk.
It Doesn’t Make Sense for SOC 2 to Be Owned by the AICPA—It Should Be a Cybersecurity Organization The AICPA could be unseated by another auditing framework if they don’t reform.
I’ve advocated for them to fix SOC 2 compliance – there are so many ways to improve! They should publish standard control list options for different situations – then organizations would customize as-needed. The AICPA should AI-score reports for copy pasting or suspiciously low exceptions. They should crack down on auditors that do both preparation and audit services, and mandate thorough summaries up front, containing scope, criteria, and exceptions up front.
But let’s take a step back. Isn’t it odd that accounting firms are assessing whether technical controls are effective?
SOC 2 deserves ownership by a cybersecurity-focused organization – one that integrates the technical, auditing, and management skills that are all relevant to cybersecurity.
Enter ISACA . They’ve got everything in place to launch a SOC 2 competitor and own this space.
ISACA Has All the Pieces ISACA isn’t starting from scratch. They’ve built an empire of tools and certs tailored for this:
Control Objectives for Information and Related Technologies (COBIT) : ISACA has a governance framework! It’s already organizationally focused – the perfect base for control templates. Certified Information Security Manager (CISM) : For the leadership side, ensuring strategic oversight.Certified Information Security Auditor (CISA) : These technical pros are ready to audit and write attestations. (ISC2 would need a new parallel certification, more on that in a bit)
Logically, ISACA has a lot in place. They could launch this tomorrow and create massive value for their certifications.
ISACA Should Create a New Compliance Framework: Attesting an Organization’s Security (AOS) My proposal: ISACA launches “Attesting an Organization’s Security” (AOS).
AOS would be based on COBIT templates for common scenarios. Companies would then customize for their program. Control implementation would be risk-based, just like SOC 2 is (at its best).
CISMs would be responsible for implementing the AOS compliance program in the organization. CISAs would be the auditors. ISACA would charge auditors ~$250 per report for accreditation (minimal charge for firms with certified staff, but important for funding the program).
The new AOS framework would keep SOC 2’s core benefits: flexible scoping for organizations with attestations that describe design and implementation.
It would improve upon SOC 2’s quality issues by building new processes.
AOS Would Fix SOC 2’s Quality Problems By… 1. AI Scan Reports to Flag Copy-Paste Jobs Once a report is completed, the auditor submits it to ISACA, which would use AI to scan the report against a database of other reports to flag and disqualify copy-paste jobs.
Once a report passes this first check, it moves onto the next step.
2. Serializing Every Report ISACA issues a unique serial number for every AOS report, and creates a public database of report metadata.
Anyone can look up the report by serial and company name. The report will show the organization, effective date, scope, and auditor. The full report is still NDA-locked, released only to who you want.
3. Peer Powered Quality Control When CISAs in good standing see a suspect AOS report, they can login to the database and challenge the report. Once a given report hits five challenges, it triggers review by non-interested CISAs (rewarded with CPEs for the hassle).
Three CISAs investigate the report. If they come up with unanimous consensus to overturn, the report is revoked. If a CISM racks up too many revocations, their certification is on the line.
This peer review system should eliminate SOC 2’s rubber stamping problem.
Rob, You’re a CISSP—Why Not ISC2? Fair question – I am a CISSP, and ISC2 could totally pull this off. It’d be awesome: Adopt a control framework, roll out a CISA-like auditing cert, and run the same serial/challenge system. I’ve even proposed it before. ISC2 would have a heavier lift without COBIT or CISA equivalents, but the bones are there.
That said, ISACA is better positioned to pull this off with its ready-made pieces.
Whichever org steps up, they’d revitalize the space and pull cyber pros into auditing like never before.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
