How I’m Leveraging My Experience from Testing Internal Controls Over Financial Reporting (ICFR) to Add Value to SOC 2 Compliance Clients
Obviously, cybersecurity is a matter of high concern in the C-suite and boardroom of every major organization - regardless of sector, industry, or market cap. Recent cyberattacks have not only highlighted stark vulnerabilities in our nation’s cybersecurity infrastructure, they have also illustrated significant financial consequences suffered by both the organization and its customers. So as I began my transition from performing financial statement audits to SOC 2 and other security compliance attestations, I realized that the insights I gained while evaluating former clients’ internal control environments under the Sarbanes-Oxley Act (SOX) would be considerable value-add to my SOC 2 clients.
Let's start with the basics: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Internal Control Framework was revised in 2013 (COSO 2013 Framework) with its 17 principles outlining requirements to effectively implement the following five components for effective internal control.
Information and Communication
Auditors performing testing of the design and effectiveness of an entity’s internal controls evaluate those controls against the COSO 2013 Framework for both SOX and SOC 2 attestation engagements. While compliance with the SOX Act is generally only required for SEC registrants (i.e., publicly traded companies in the US), there are certainly initiatives under the Act (and therefore insights gained from auditing against the Act) that are beneficial to service organizations evaluating their IT infrastructure and managing security risks that will also have positive impacts on their ability to manage financial risks. For instance, oftentimes SOC 2 clients may underestimate the importance of continuous assessment and monitoring of cyber risk. Understanding that executives often desire to skip to how strategies for effective internal control will benefit their bottom line, there’s considerable value-add opportunity in being able to parallel how such monitoring activities are critical to mitigating financial risk, thereby limiting financial losses, in addition to mitigating information security risk.
As the fallout of increasing cyberattacks on organizations and governmental agencies alike result in ever developing legislation and cybersecurity review boards, I expect to see greater emphasis placed on effective controls at service organizations to prevent service disruptions caused not only by attacks on IT systems but also by potential pauses in operations as a result of significant financial losses due to the security breaches. As hackers and bad actors grow in resources and sophistication, the going concern concept may take on increased significance in security compliance - especially for uninsured, small or middle-tier enterprises with limited capacity to sustain financial losses. Such service organizations can benefit from the financial risk mitigation initiatives in the SOX Act at relatively low costs given the interrelation between SOX and SOC and it is my mission to get them there.