Why do CPA firms even perform SOC 2 Exams? (Shouldn’t you do my taxes?)

November 5, 2023

As the factual history is rather complex, let’s summarize this in a fun anecdote about an accountant named Bob.

As the factual history is rather complex, let’s summarize this in a fun anecdote about an accountant named Bob.

Long ago, Bob was an every day accountant who worked as an expert to keep his company’s financial accounts and amounts straight. He did some taxes, but he also kept the books.

But investors of this company started asking lots of questions about these books and didn’t necessarily trust the company itself to answer them, so they asked Bob to test the books and issue a report on them. Bob said “ok, I will learn”. He quit his job as a regular accountant and became an Auditor. As an Auditor he sampled a set of transactions and account balances to see if they were reasonably accurate.

One day the investors realized that in his audits, Bob was testing a small sample of transactions, but they wanted to be confident that every single transaction was correct. They asked Bob if he could also audit the controls that ensured the amounts and accounts were correct every time. Bob said “Sure, I will learn”, and he became a Controls Auditor. He tested things like, were bank statements reconciled every month and adjusting journal entries made properly?

Predictably, swarms of intelligent robots came along and started to perform those controls instead of humans. When investors asked Bob how he knew the robots were doing it correctly, he said “I’m not sure, but I will learn”, and became an IT Controls Auditor, verifying that the robots could be expected to be consistent.

But the robots at certain companies began to be manipulated by certain bad people to steal information, and investors asked Bob how he knew that their robots were safe and true to the cause. Bob said “I will learn” and he became an IT Security Controls Auditor.

And that’s what accountants do through a SOC 2 exam today – we test the controls that keep information secure and away from bad people.

For a less humorous dive into SOC 2 examinations and the industry standards, you can explore resources provided by the American Institute of CPAs (AICPA), the authoritative body for SOC 2 compliance.

Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render

Share this post

Keep reading...

policy SOC report

Building Effective Security Policies: FOMO vs. Build-as-you-Go

04/22/2024

Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy jungle?

Beyond Fast Audits – Prioritizing Quality in Compliance Automation

03/26/2024

In the fast-paced world of compliance automation, where promises of rapid audits abound, it’s time to pause and reconsider our priorities.

SOC 2 timeline

How long does my first SOC 2 Exam take?

03/19/2024

Determining the timeline for achieving SOC 2 compliance is a bit like asking “how long does it take to build a car?”

Security Questionnaire

SOC 2 vs. Security Questionnaire?

03/06/2024

What’s the difference and how do they match up?

Navigating Compliance in a Serverless World

02/12/2024

It may be obvious that running a ‘serverless’ environment reduces your operational responsibilities.

What is a SOC 2 Gap Assessment?

01/28/2024

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.