Three things your firm needs to get started with SOC services
SOC reporting isn’t something auditors should learn on the job or figure out as they go, though. If you’ve been thinking about expanding your firm’s offerings to include Service and Organization Control (SOC) engagements, there are a few things you need first.
- You need to be knowledgeable in the service area
Specialized knowledge of an industry or organization is vital for understanding where risks are, assessing those risks and adjusting procedures to the appropriate risk level. As such, focus your SOC practice on areas with which you are already familiar.
This is actually how many firms get into SOC reporting. When financial statement audit clients grow to need assurance on internal controls around information security and privacy, they often turn to their CPA as a trusted advisor. But before you can expand your role, you need to make sure you have the skills and staff necessary to perform SOC services for them.
- You need to find people with both auditing and IT skills
Make sure your staff has people with the right knowledge to execute these engagements. Where do you find them?
- Recruit from traditional paths: Your firm can recruit accounting students who minored in IT or a similar tech field. Of course, you’ll still need to train these individuals in the cyber components of SOC reporting. Keep in mind, though, that these students are considered “unicorns,” and the largest firms often invest heavily in recruiting them (more on that in just a bit).
- Recruit from non-traditional paths: Consider recruiting out of Management Information Systems (MIS) or other technical programs. Of course, just as an accounting student would need to learn and sharpen their IT skills, an MIS student will need to learn auditing, risk, control and client-delivery skills.
- Hire people who already have experience: Given that the largest firms recruit those who studied accounting and IT, these firms can be great places for you to look for new staff. These CPAs will not only have the education for SOC reporting, but will also have on-the-ground experience that can help your firm grow its SOC service offerings more quickly.
- Grow through acquisition: As with other firm practice areas, you can always grow your SOC practice by acquiring a firm that already specializes in this area.
- You need to be learning constantly
Your SOC team needs to understand and be able to apply AICPA standards and be able to look at situations on a deep technological level. And because both areas are subject to constant updates and changes, SOC reporting is a skillset that requires a lot of training. Remember: SOC reports have such a high level of public interest that the Peer Review Program has made them must-select engagements. Getting them right is always the priority. Here are a few ways to help your staff get the training they need:
- Consider obtaining advanced certification by becoming a Certified Information Technology Professional (CITP).
- Check out the AICPA’s extensive learning resources for SOC reporting. If you’re interested in SOC for Cybersecurity specifically, make sure to visit the AICPA’s Cybersecurity Resource Center for free downloadable tools.
- Supplement your assurance education with specific IT training relevant to your firm’s service offerings.
Providing SOC services can be a profitable business line for many firms, but you must make sure your firm has the knowledge, skills and training necessary to perform these services according to the standards. For more learning resources, check out the AICPA’s SOC Suite of Services resources page.
Lindsay N. Patterson, CAE, Senior Manager, Communications and Public Relations, Association of International Certified Professional Accountants