S4 E09: SOC 2 Auditor Red Flags

Audio version

SOC 2 Auditor Red Flags

Transcript

Jordan Eisner  
Hello and welcome to another episode of Compliance Pointers sponsored by Compliance Point. With me once again, it’s been a little while, Carol, but it’s Carol Amick, Managing Director here at Compliance Point. Utility player, I would say, but primarily focused these days on SOC 2 attestations. She is a CPA. She’s been with Compliance Point, it’s got to be getting close to a decade, right? Or am I way overshooting? Nine years or so? Yeah, basically built our HITRUST practice, so a lot of experience there prior to that.

Carol Amick  
We’re getting up there for nine years or so, yeah.

Jordan Eisner  
In-house stints, external consulting stints, all around HIPAA and compliance and many other things. So a wealth of information on audits and compliance. And so a very, very good guest for our topic today in light of the recent, Delve findings, right? And I don’t know what you’d call it, breaking news leak?

Carol Amick  
So obviously it’s obviously at least a security breach because the people seem to be in their system.

Jordan Eisner  
So really shed some light on, I don’t want to say the state of the industry. I think that’s a bridge too far, but, maybe the importance of scrutiny on these auditors and peer reviews and you know.
Who’s watching the hen house and ensuring it’s not the Fox?

Carol Amick  
Yeah, I mean, there has been. This is not the first allegation we’ve heard that you SOC in a box as it’s referred to. You can get a SOC in a box and it’s quick and it’s easy. Anytime you’re getting a certification, if the words quick and easy are used, that’s probably a red flag right there.

Jordan Eisner  
Right. So look, let’s, you know, expand on it, Carol, right? You’ve seen it. I’m sure our audience and listeners have seen it. What all did we find out?

Carol Amick  
So you know, there are a couple things that come out on this. One is, Delve advertised that you could get a SOC audit and then you said we and they’re not the only ones. I guess I shouldn’t use them in name because I’ve seen this with other places and I’ve actually talked to our clients who, you know, will tell me I talked to so and so and they can get me a SOC audit in a month and I don’t have to do anything. And you know, it’ll be easy. They’re just going to use this tool and it’s going to create a thing. That’s your first red flag right there.

Jordan Eisner  
And it’s a fraction of the cost.

Carol Amick  
As some call it requires that you design your controls. So if they’re doing that for you, how do you know what the controls are? I mean the AICPA gives me a template and some suggested controls, but it’s not. This is what you have to do. You just have to cover that risk that’s related to the Trust Service Criteria. So these are the suggestions. For example, they have controls on independence on the board of directors, how often the board meets, that kind of thing. If you are a privately held company, you may not even need to comply with that particular common criteria of the trust service criteria.
So you know, you should have been tailoring these to fit your environment and your operations, and that’s not going to happen in a couple of days. I mean, that’s your first sign. You know, we can get this to you in a couple weeks. You’ll have it for your clients.

Jordan Eisner  
How can it be custom and tailored to our business in such a short amount of time? You know nothing about us.

Carol Amick  
And so I think the other thing to think about is, you know, are they offering to get you certifications that don’t exist? One of the things that a lot of these firms offer is a HIPAA certification. And Jordan will tell you the account executives who have a compliance plan have come to me and said can we, can we certify HIPAA?

No, because there is no such thing. And as a matter of fact, I think it’s the Federal Trade Commission has said if you advertise a HIPAA certification on your website, that is basically false advertising because the government has never authorized a HIPAA certification. So we don’t issue HIPAA certification. So if you’re firm that’s working with you is giving you certifications that don’t really exist and telling you, you know, we’re going to certify you as HIPAA compliant. How are they doing that? And what’s that?

Jordan Eisner  
Yeah, we do, however, issue opinion letters.

Carol Amick  
Yeah, I will audit you against it. We will audit you against the we can even include those in a SOC audit. We have a client right now I’m doing a SOC audit that includes HIPAA. So we can give you an audited report that shows you that you are complying to with the laws and the regulations. That’s not a problem, but we aren’t going to call you HIPAA compliant because that certification doesn’t exist. So that’s part of the red flags that they are advertising that. And I think the big thing is, are they telling you there’s no effort on your side? Because if they are, how are they getting their data? How are they getting their information? I know we’re in an age where you can get a lot of AI and you can get a lot out of automation, but there are still things in those audits that are not automated. The Trust Service Criteria include controls related to governance. We talked about board of directors, there’s some other ones, personnel, and a lot of that is not always, is not always automated. And so you want to know how are they getting there if they can do it without any input from you? It raises some red flags. And then I’m just going to bring up one that I saw a very interesting LinkedIn post from somebody who was hired to do a peer review on a firm.
That was doing SOC audits and saw that the firm was able to do a SOC audit for about $2000.
Now let’s say your average SOC audit has somewhere in the range of 80 to 100 controls. So let’s say 100 controls. That’s what, $20.00 a control for your CPA firm to look at the auditor. I mean, that’s how much more do you think they’re putting in? It sounds to, you know, and they say in life, it sounds too good to be true. Yeah, it probably is if your CPA firm can do the work for that. The question is, what are you getting? Cause, yeah, I mean, you know, I feel like I’m not one of the most expensive CPA firms in the world and I certainly wouldn’t do an audit for $2000.

Jordan Eisner  
Yeah, $20 a control, yeah.

Carol Amick  
And that’s what, 5 minutes max, you know. So yeah, I think that’s the other thing. So you know, I know it sounds promising when you get this quick fix and you’ve got somebody breathing down your report, but there are ways to get around that. I think Jordan, we can talk, we do SOC 2 type ones, which is where we show your client that look we identified your controls. Here’s the controls you’re implementing. Here’s where you and we’re on the road. We’re on the progress. You can get those very quickly. We do those, you know, in a month or so. They they’re not showing that you’ve got everything implemented, but a lot of people do do that is the first step to show their clients. Look, you want a SOC. We’re on the road, and in three months we’ll have a SOC 2. But you know, we’re giving you a report. We’ve hired a firm. Here’s what we’re doing. Yeah. But I also think the other part of this is the people reading the audits need to start, you know, thinking about whether they make sense, whether it looks like they make sense.

Jordan Eisner  
OK, so I know we were going to talk about Delve a little bit. We’ve covered that and then we were getting the red flags, but it sounds like you’re already starting to cover. We’ve dove right in. No, that’s fine. You know, it’ll be quick hitters for the listeners today and we can wrap early, but, you know, price and the lower it is, the more it should be a red flag. Time. The shorter it is, the more there should be a red flag. What else?

Carol Amick  
Your involvement, I think is another key. Were you involved? Did you, I mean, did you just hire this company and a month later you have a report, or two weeks later? That’s a red flag because there should have been stuff that you had to explain to your client, to your auditor about how things worked. I never pretend I can go into a system and understand it. Everybody sets their system up differently. Everybody does things differently, documents things differently. And so, you know, were you ever asked to explain anything? Because if you weren’t, that’s probably not a great sign.
We meet with our clients when they’re met SOC once a week just to make sure we understand and also to make sure they understand our request. You know, if we ask for something, I speak audit. I know that. So you know, you may not really know exactly what I want. You don’t waste your time throwing stuff back at me and so you should have been communicating with your auditor, there should have been questions that you had to answer for them over the course of your audit, even if you are using a tool. I mean, a lot of our clients use some great GRC tools that we can just get data out of and do testing out of and look at, but there’s still going to be some questions, you know, even in that case.

Jordan Eisner  
Yeah. How can you snuff out some of that beforehand? Let’s say that the price looks good or sorry, the price is very attractive because it’s so low. The time to do it is very attractive because it’s so low. You know, the auditor is painting a picture that you know they’re going to be requesting certain information for me, so probably too good to be true. How can you trust but verify that before you enter into contract with them to do it?

Carol Amick  
I think you’ve got to, you’ve got to use some skepticism. I think the other thing is to make sure your CPA firm is registered. There’s a website called CPA Verify that you can go on and look up your CPA firm. You can also go on the AICPA Peer Review website and see if they’re enrolled in the peer review. That is I think one of the things that has come out about some of these firms is they are not doing peer reviews. They are not enrolled in the peer review process. Just Google search. You know the auditor, the CPA’s name, you know where do they have credentials. I have an audit report that one of our clients got that they rejected. Because when they got it, it was signed by a CPA who wrote, well, not really a CPA, a young person who wrote on there that they were sitting for the exam next month. Now they weren’t even technically a CPA because it’s not just the exam, there’s also an experience requirement and when she went on LinkedIn and looked up this young person, it was a young man. They were still in school, so you know they’re getting paid a fee to sign these reports, but a little research might have shown this probably wasn’t the CPA firm you should be picking yourself up with.

Jordan Eisner  
Yeah, that’s quite shady.

Carol Amick  
You know, and I said we set up our firm that does the audits. You know, we went through a lot of hoops to prove that I had the skills and the expertise. So there’s that. another background just to make sure there’s a firm that’s registered legitimately.

There were some lists of some of these, and I’ve looked some of them up, and some of them are registered and some of them are probably legit. And a couple of them are, who is this? I can’t even find them. I mean, you can always ask for references too. I mean, that’s another thing.

Jordan Eisner  
Well. They’re gonna give you good ones, though. Nobody gives references to people that aren’t gonna sing their praises.

Carol Amick  
Yeah. But you know, at this point, I think some people are starting to get suspicious. And so you could easily have somebody say, yeah, we have one. And now we’ve had, I mean, we, we have acquired clients that way who said, yeah, we did an audit with somebody and it wasn’t good and we’re starting over. And so, you know, if you, if you kind of run into that, you can kind of find that out there. That’s your, that’s your peers.

Jordan Eisner  
Check credit, OK.
OK, that was a quick list, but it was a good list.
Anything we didn’t cover?

Carol Amick  
I feel like a lot of people know when they sign these that this is a little iffy. You know, I can have, I can have a SOC 2 Report in a month. And the other side of this, I would say is if you are the company buying the service from, and you say to them that they do you have a SOC report? Do you have a SOC? Can I see it? And they say no and they then call you and say, but I’ll have it by next week.
That our next or even the next month that alone should be like, wait, wait, what are you giving me? Where is it coming from?

Jordan Eisner  
Yeah. So organizations requiring the SOCs also you, you know, this is, this is a message for you too.
If you don’t have some flexibility in how they accomplish the SOC 2, and you’re putting scrutiny and pressure on them to do as quick as possible and as cheap as possible, you could actually be putting your company at risk.

Carol Amick 
Yeah. And if they want that business, they call you back and say, you know, we told you we didn’t have something, but we got it this week. OK, we talked to you a week ago and you didn’t have it and now you have it. Yeah, you. Yeah. And you’re right. I think sometimes people, some of you, you know, procurement and stuff puts pressure on people.

Jordan Eisner  
So make sure there are checks and balances on your side from a procurement standpoint.

Carol Amick  
You know, use, use. That’s why I said, OK, work with them. If there’s a product you really want, work with them to get it done the right way to protect you. You know, yeah, let’s start with you doing a SOC one where it’s just listing out the controls so we can see what you’re doing. Let’s get you going down the road. You know, work with them, um, especially if it’s a product you want and they want to do the right thing, but you’ll get a better product and you will be better protected. Then a check the box that didn’t really check your box.

Jordan Eisner  
That’s a great, yeah.
That’s a great point. I think that’s a good one to end on. I will say to the listeners and viewers, if you have additional questions on this, if you’re weighing options between auditors, if you’re stuck in an audit where you’re already starting to scratch your head and red flags are appearing, or you just want to bounce some ideas off, you know, an organization.
As you evaluate this and look at future SOC 2 aspirations, please don’t hesitate to reach out to myself and or Carol. You can find us at compliancepoint.com and you can e-mail us at connect@compliancepoint.com and we’re both on LinkedIn that way, so not too hard to get in touch with.
Until next time, everybody be well. And Carol, thank you for your time today.