Why do CPA firms even perform SOC 2 Exams - Photo 1

Why do CPA firms even perform SOC 2 Exams? (Shouldn’t you do my taxes?)

As the factual history is rather complex, let’s summarize this in a fun anecdote about an accountant named Bob.

As the factual history is rather complex, let’s summarize this in a fun anecdote about an accountant named Bob. 

Long ago, Bob was an every day accountant who worked as an expert to keep his company’s financial accounts and amounts straight. He did some taxes, but he also kept the books.

But investors of this company started asking lots of questions about these books and didn’t necessarily trust the company itself to answer them, so they asked Bob to test the books and issue a report on them. Bob said “ok, I will learn”. He quit his job as a regular accountant and became an Auditor. As an Auditor he sampled a set of transactions and account balances to see if they were reasonably accurate.

One day the investors realized that in his audits, Bob was testing a small sample of transactions, but they wanted to be confident that every single transaction was correct. They asked Bob if he could also audit the controls that ensured the amounts and accounts were correct every time. Bob said “Sure, I will learn”, and he became a Controls Auditor. He tested things like, were bank statements reconciled every month and adjusting journal entries made properly?

Predictably, swarms of intelligent robots came along and started to perform those controls instead of humans. When investors asked Bob how he knew the robots were doing it correctly, he said “I’m not sure, but I will learn”, and became an IT Controls Auditor, verifying that the robots could be expected to be consistent.  

But the robots at certain companies began to be manipulated by certain bad people to steal information, and investors asked Bob how he knew that their robots were safe and true to the cause. Bob said “I will learn” and he became an IT Security Controls Auditor.

And that’s what accountants do through a SOC 2 exam today – we test the controls that keep information secure and away from bad people.


For a less humorous dive into SOC 2 examinations and the industry standards, you can explore resources provided by the American Institute of CPAs (AICPA), the authoritative body for SOC 2 compliance.

Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together