What Service Organizations Should Know When Purchasing SOC 2 Tools

Maria Braun, Partner, IT Consulting Services
Chris Kradjan, Partner, IT Consulting Services
Bosco Yuen, Managing Director, IT Consulting Services

Several new system and organization controls (SOC) 2 tools on the market are designed to help improve the SOC 2 examination experience for service organizations. These platforms offer a new breadth of functionality and scope. According to the Association of International Certified Professional Accountants (the Association), use of this type of SOC 2 tool might affect how the service auditor meets relevant requirements of the attestation standards.

Provider offerings can vary greatly, so if you’re considering adopting a compliance software program to assist in compliance efforts, it’s critical to thoroughly evaluate potential vendors as well as their capabilities and limitations.

While some compliance programs can increase efficiency and organization, others could add complexities and examination responsibilities for the service organization and the auditor.

Here, we discuss key considerations—including software benefits, limitations, selection criteria, and associated responsibilities—to keep in mind when evaluating compliance software options. To learn more about SOC examinations, see our SOC report guide.

Benefits to Look for In SOC 2 Tools

The right SOC 2 tool could help your service organization streamline its preparation for its first SOC 2 audit or execution of annual subsequent SOC 2 audits, which could result in time and cost savings.

Quality programs will allow your organization to:

  • Save time with templatized controls, risk assessments, and policies
  • Aggregate evidence across software utilized by the organization, such as Amazon Web Services (AWS), Azure, Google Cloud, GitHub, and Jira
  • Monitor system and security settings
  • Align SOC 2 requirements with other security and compliance frameworks, such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and others
  • Build an audit trail in support of audit activities
  • Establish a data exchange and communication portal between the service organization and service auditor
  • Access evidence previously provided to the service auditor to be used as a reference

Compliance software is just one way to improve your SOC 2 experience. If you’re looking for more, see our articles Efficiencies with Data and Internal Controls Could Translate to Revenue and 3 Steps to Improve Your SOC 2 Exam and Sharpen Your Company’s Competitive Edge.

Compliance Software Limitations

Compliance platforms are part of an emerging market that has significant potential. However, it’s presently limited in its capabilities. While certain compliance platforms can be used to support aspects of an organization’s SOC 2 examination, it’s essential to understand where limitations exist.

Evaluate the following to identify potential limitations:

  • Complexity of the service organization’s environment or the organizational structure
  • Service organization’s market offering or industry
  • Unique elements of security exposure
  • Data within the compliance platform if the integration doesn’t exist between the platform and the software utilized by the organization
  • Segregation of duties vulnerabilities
  • Scalability as your organization matures and each business unit grows and implements its own business requirements

For these reasons, it’s important to not let the use of compliance software create a false sense of confidence in controls or processes that may not be designed securely—especially in situations where the service organizations rely on the SOC 2 tool provider and don’t understand their control design and implementation.

For auditors, SOC 2 tools can force reliance on their integrations between the compliance platform and software commonly utilized by the organizations—regardless of the quality of their own SOC 2 report or validation of the completeness and accuracy of the data pulled via the integration.

SOC 2 Tool Selection Considerations

To make an informed decision and select a compliance software that’s right for your organization, be sure to:

  • Assess your needs
  • Vet potential vendors
  • Finalize your contract
  • Manage the implementation

For a more in-depth look at the elements to consider, see Strategies to Help Choose the Right Technology Vendor For Your Specific Needs.

Since the functionality and scope of the current compliance software available on the market vary considerably by the vendor, you can use the following to help with your evaluation:

Software

  • Assess whether the system produces canned controls or is based on illustrative controls or controls tailored specifically to full risks and technologies in use by the service organization
  • Evaluate if the available policies and procedures are canned or tailored to the service organization
  • Understand the integrations that exist to collect information from various sources and how easily it allows auditors to extract evidence
  • Determine how evidence not generated by the SOC 2 compliance software and records maintained by departments outside it can be organized and managed by the service organization
  • Understand needed functionality and desired outcomes specific to your goals
  • Beware of representation of SOC in a box and potential for robo-signers

Provider

  • Determine the extent the vendor will help with product setup and offer ongoing tech support
  • Understand if the SOC 2 compliance software provider can support the customization your service organization needs
  • Consider the licensing obligations from the SOC 2 compliance platform provider and how they feed into the total costs for undergoing SOC examinations
  • Determine to what extent the provider offers training for your organization on tool configurations and use
  • Obtain references from other technology companies of similar size that used the product to scale while growing from a startup to a mature business

Understanding the provider’s limitations up front can prevent additional complexity resulting in increased overhead for staff to care for and maintain the product.

Continued Responsibilities for Maintaining Your SOC 2 Tool

If you decide to proceed with a SOC 2 tool, there are additional responsibilities for the service organization and its auditors to keep in mind to increase adoption and help avoid common implementation pain points.

Service Organization

To help prevent your organization from placing excess reliance on the SOC 2 tool and its results, properly balance your organization’s responsibilities with the capabilities of the program by doing the following:

  • Assume full responsibilities for the software control design, operating effectiveness, and evidence gathering
  • Avoid subordinating duties for the SOC examination to the SOC 2 tool provider
  • Understand how the SOC 2 tool has been configured and how to make sure it’s operating as intended
  • Place additional checks to validate the SOC 2 tool and its results
  • Evaluate the completeness and accuracy of data before providing evidence to the service auditor
  • Conduct due diligence and annual review of the SOC 2 report, or equivalent, for the SOC 2 tool
  • Prepare a tailored risk assessment, policies, procedures, and other materials specific to your organization
  • Work with the SOC 2 tool provider for carve-out or inclusive reporting if the provider is deemed a subservice organization

Auditor

Unfortunately, SOC 2 tools don’t lessen the responsibilities of the service auditor as defined in the SOC 2 Guide and professional standards. As an auditor, it’s essential to still:

  • Require that the service organization take responsibility for subject matter under audit before accepting the engagement
  • Maintain independence from the SOC 2 tool provider
  • Understand functionality and configuration of how the tool is set up for a given service organization
  • Validate that management took the responsibility to own and operate the controls under audit and data collected within the SOC 2 tool
  • Review the design of reported controls for completeness and relevance and to help ensure critical risks to the system are appropriately addressed
  • Confirm the risk assessment, policies, procedures, and other canned output are fully tailored to fit the service organization
  • Check the completeness and accuracy of the information collected and reported from the SOC 2 tool

We’re Here to Help

To learn more about SOC examinations explore our on-demand webcasts  or contact your Moss Adams professional.

To learn more about this new market for SOC 2 tools or for questions about your SOC 2 examination process, please contact your Moss Adams professional.

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

3 Steps to Improve Your SOC 2 Exam and Sharpen Your Company’s Competitive Edge
The World Has Changed Due to COVID-19—Has Your SOC Report?

Contact Us with Questions

Enter security code:
 Security code