Join Drent J. Shields, CPA, MBA, CISA, CITP, Audit Partner, and Kyle Wehrli, CPA, CISA, CTP, Audit Manager, of PKF Mueller’s Risk & Controls team for an in-depth interview of SOC reporting, best practices to help companies, such as cloud-based SaaS providers, choose their SOC auditor, and the Firm’s unique and client-centric approach to SOC audits.
Get in contact with our SOC professionals today:
Drent J. Shields, CPA, MBA, CISA, CITP
+1 847 649 8815
Kyle Wehrli, CPA, CISA, CITP
+1 847 649 8813
[00:00:00] Emily: Hi, everyone. You’re listening to the PKF Mueller Podcast, “Business Owner’s Guide: Tips, Trends, and Talks from a CPA.” I’m Emily, and today I’m with Drent Shields and Kyle Wehrli from our risk and controls team.
Drent is an Audit Partner with over 18 years of public accounting experience and extensive experience working with clients in the manufacturing, distribution, transportation, and services industries. In addition to providing traditional audit review, and compilation services, Drent is a leader of the PKF Mueller risk and controls practice, where he has performed internal control related services for clients in the technology, financial services, payroll processing, debt collections, treasury and cash management, and automated document factory industries.
Kyle is an Audit Manager at PKF Mueller whose main focus is risk and controls services. He performs Sarbanes-Oxley (SOX) consulting and compliance testing, and SOC 1 and SOC 2 examinations. He performs these engagements for a wide variety of clients and related systems ranging from payroll and financial services companies, to advance application software platforms, managed security service providers, and data centers.
So, my first question for you, Drent, is can you please share a high-level overview of PKF Mueller’s risk and controls services?
[00:01:40] Drent: Yes. So, risk and controls is actually very descriptive. So, the primary things we do are address risks and help companies with internal controls. This spans the gamut from a Sarbanes-Oxley compliance testing and consulting J-SOX compliance testing, SOC reporting, as you indicated before, internal controls optimization and just about anything else internal control and risk related.
[00:02:08] Emily: One of those services you mentioned was SOC reports. Could you please explain what a SOC report is, and why would a company need one?
[00:02:16] Drent: A SOC report is an audit of a service organization and their controls designed to deliver the services that they’re providing to their customers.
So, it’s primarily a customer driven report. When your customers have concern over the internal controls at your organization, as they relate to either their own financial reporting or to such things as security and availability of services.
[00:02:42] Emily: What types of industries benefit from one of these reports? Your bios did mention a couple, but I was curious if you could expand on that a little bit.
[00:02:51] Kyle: Yeah, right now, what we’re seeing is that SOC examinations and the customer request surrounding SOC compliance, is expanding to almost all industries. But at a high level, SOC 1 is geared towards companies that are processing, or assisting in processing financially impacting information for their clients.
A good example of these are typically payroll processing companies, medical billing companies, printing companies, and also companies who are involved in outsourced invoicing, things of that nature. Those are really the relevant services that a SOC 1 report was meant to cover. Now, SOC 2 reports are where we are seeing a lot of growth and that’s because it can really apply to most companies who collect and/or host their client’s data or offer some type of service such as an application in the cloud where their customers are giving them data, and they’re holding that data.
Good examples of these companies requesting the examinations include data centers themselves, which really originated some of the first SOC 2 reports, and then application hosting firms, co-location firms, and cloud-based Software-as-a-Service providers (Saas). So really in summary, cloud-based Software-as-a-Service providers are where we’re seeing the most growth and demand for SOC 2 examinations. And we’re actually seeing this expand even into professional services firms needing SOC 2 reports, such as law firms and CPA firms. As many times, these firms, including a firm like PKF Mueller maintain highly confidential data on their network.
[00:04:20] Emily: Are SOC reports required or mandated? And if not, what’s the benefit to a company having one?
[00:04:26] Kyle: Yeah. So right now, there’s no actual mandates for a company to get a SOC report. It really started with SOC 1 reports being a request from user organizations, which are users of the system or service being requested by those user organizations auditors during financial statement audits.
Now, what we’re seeing is that most customer contracts, such as large opportunities for companies who are potential SOC examination candidates. If they know they’re going to host data or that they have customer data, they want to make sure their environment is secure. And so does their potential customer.
And that’s where the SOC 2 has come about. So, it’s becoming standard language in contracts where if entities want to work together, they’re saying, “Hey, if you want to work with us, we need to make sure your environment and the service you’re offering us and going to provide for us is secure.”
And that’s why we see a lot of growth in SaaS companies, Software-as-a-Service companies, hosted in the cloud where companies want to make sure that the way they’re hosting that data or holding that data is secure.
[00:05:31] Emily: How would you describe PKF Mueller’s approach to SOC or SOC reports?
[00:05:36] Kyle: I think collaboration is where PKF Mueller is ahead of the curve right now.
We know that SOC 1 and SOC 2 compliance process being compliant in general can be very overwhelming at firs. You know, so the good news is, what we offer is definitely a more collaborative approach. We want to make sure you’re ready to undergo audit before we come in and actually become your auditor.
We’re allowed to under the standards to provide consulting services upfront, to make sure that you are ready to undergo audit, so that we can then draw the line and become your independent auditor once you believe you’re ready to undergo audit. And I think this is where there’s a lot of strength — the continuity between the consulting phase, making sure you’re ready to undergo audit, and then knowing what to expect from your auditor.
We’re always looking for ways to improve and for input from our customers to streamline efficiencies as well. Which can go hand-in-hand with what’s called the “readiness assessment” process, which is the consulting side of things. Before we become your auditor.
That also leads into proactiveness. Our approach is very proactive centric. We always want to know what we can do better. We make recommendations during our consulting phase for what our customers can do better as well. And we liked developing that relationship.
Additionally, continuity of our teams is really important and we stress that. We have a dedicated SOC team, which really assists in being as efficient as possible. We want to make sure the client is working with the same auditors, in the same approach each year, and as much as possible.
[00:07:08] Drent: Yeah. I think that all plays into part of PKF Mueller’s mindset in general of no surprises. And, you know, we want to get out in front of any issues. I, you know, especially when you’re undergoing a SOC audit for the first time, there are going to be issues.
There are going to be complexities. There’s going to be things that you run into in testing that maybe you didn’t anticipate. So, the earlier you can get out in front of those and address the issues and get them fixed together, the better off everybody is going to be.
[00:07:35] Kyle: Yeah, that’s been challenging. I think for a lot of our customers we’ve onboarded recently, their initial challenge was ‘how do we choose an auditor, and what are some recommendations for going through the process of choosing an auditor?’
First off, for SOC 1, 2, 3, and SOC for Cybersecurity reports, you have to be a CPA firm to issue an actual audit report. So, obviously being a CPA or a CPA firm is important, but we do see a lot of CPA firms getting into this space that don’t have the necessary experience. And that’s where we can see audit quality and efficiency as a shortcoming.
And it’s very challenging for clients to get through the process. And issue a quality report and be comfortable that their customers are happy with it. So, asking questions like, “Do you have a Certified Information Systems Auditor or CISA on staff, or any other type of information technology professionals working on these audits?”
And we really do think that’s important because again, audit quality does go down when that lack of IT knowledge is apparent in the reports.
Another important question is how, “how many of these engagements do you do a year?” This is something important to ask a potential firm that you’re looking at to do your SOC report.
We see if a firm only does two or three of these audits a year, it’s very difficult for them to become experts in this area. So, I think it’s important to ask those questions and the professionals, you know, you’re interviewing during the process. During the interview process with potential candidates, it’s also important to understand how big of a firm they are. What’s their national and global presence?
And also, to get a feel for if they’re a high volume, low-cost provider. We’ve seen this growing in the SOC space, SOC examination space, where there are national firms that are low-cost providers. So, what you get in those experiences is a nonpersonal relationship and audit where most of the audit that is tended to be geared to be more automated.
And there’s no value add, really. Because then, you know, what happens is audits become non personable and more automated. This doesn’t necessarily drive efficiencies in the audit process. And we do see that this affects audit quality because for a quality audit report to be issued, and a SOC examination report to be issued, the auditor really needs to understand your environment and what service you’re actually offering.
I would say the only other thing to ask of your potential auditors is if they have a dedicated SOC team. A lot of the times, as we discussed earlier, a dedicated SOC team is very important for gaining efficiencies and understanding the expertise of the specific firm you’re looking at to be your SOC auditor. So, understanding if there’s a dedicated SOC group in the organization you’re looking at is important.
[00:10:29] Drent: That was pretty well said. I’d just point out one other thing… When you’re looking for your SOC auditor, I would definitely ask to see their most recent peer review report because the SOC audits are an increasing area of focus on the peer reviews, and you want to make sure that the firm you’re going to be eventually utilizing is a quality firm and has passed that peer review.
[00:10:53] Emily: Do you have any case studies or examples of SOC report work that you’ve done in the past?
[00:10:58] Drent: I know Kyle probably has a couple of specific examples, but I’m going to just provide kind of an overview. You know, I work in a number of different areas of the firm, and within the SOC audit area I’ve had more feedback from clients that we really helped them, and we pointed out true issues within their firm, and they really appreciate everything that goes into the audit and the recommendations that come out of it, and the actual operational and security changes they’re able to make as a result of our recommendations.
And that comes from working with a broad range of clients across multiple industries on these types of audits and being able to provide our experience from those various engagements.
[00:11:40] Kyle: Yeah. To piggyback off that, I think one of our strengths is, that was kind of hinted at earlier, is that we don’t treat this as a “check the box engagement.”
We go into a company who’s never undergone an audit before, and we’re really able to help them understand what they need to do to prepare before we become their auditor. Again, this is key because it’s important to know what to expect and what the documentation requirements are before you undergo audit.
I think when a client and auditor treat the engagement as a check the box, it really does take away from some of the potential value add opportunities that there are. For example, you know, going through a readiness assessment, the consulting phase with a firm who doesn’t treat it as check the box can actually increase your security posture with recommendations in a cost-effective way as they learn your environment, and also communicate best practices to the client before they are under audit.
Whether it be HR related or from a governance standpoint, there’s a lot of big value adds, again with this consulting upfront, and making sure that you’re ready to undergo audit and you’re taking credit for all the controls that an organization is actually performing. I think the readiness assessment uncovers a lot of areas that are or weren’t prior considered by a lot of organizations.
And one other good thing about the SOC 2 criteria that just came out, also known as the Trust Services Criteria is they do highlight areas now such as vendor management, where organizations really didn’t consider it before. And it wasn’t called out in any of the standards that were being audited against.
And I think a lot of the risks that organizations have nowadays are related to vendors and vendor management. So, going through the readiness assessment, and your consultant being able to offer you best practice examples, and giving their opinion on whether or not something is strong enough, you know, based on your organization’s risk tolerance is really valuable. Because again, this is all becoming pretty common in contracts before anybody will utilize a service such as a cloud provider. So, going through the readiness assessment process and not just jumping straight into an audit is important to make sure you’re ready.
[00:13:49] Emily: Great. Well, I think that was a really great overview from the both of you. And thank you so much for your time today to explain SOC reports as well as PKF Mueller’s experience and unique approach to them.
If any of our listeners have any other further SOC questions or would like to learn more, will you please share how they might be able to get in contact with you?
[00:14:11] Drent: Yeah, absolutely. You’ll reach me at email@example.com, or give me a call at +1 847 649 8815.
[00:14:21] Kyle: Yeah. My email is firstname.lastname@example.org, and I can be reached at +1 815 274 1655.
[00:14:33] Emily: Thank you both again for your time. It was really great to have you.
And thank you to our listeners. Don’t forget to visit us at pkfmueller.com to learn more about all of our firm’s services and locations throughout the Chicago area and Sarasota, Florida. You can also follow PKF Mueller on social media for more updates, insights, and upcoming events.