There’s a myth in the marketplace that CPA firms cannot provide readiness assessments that has left many questioning what type of organizations are ethically able to provide these services, the value of SOC 2 readiness, and the role CPA firms play in the auditing process.

So, what’s the truth? While the guidelines outlined by the American Institute of Certified Public Accountants (AICPA) are intended to maintain an independent point of view by the auditor, they do not limit CPA firms from helping organizations identify gaps and best practices as they are working towards their SOC 2 audit. In the below article, our auditing experts bust three common myths to set the record straight.

MYTH #1
CPA Firms Can’t Provide Readiness Services

Fact: CPA firms absolutely can provide readiness assessment services and are uniquely qualified to identify gaps that may exist.

For organizations preparing their first SOC 2 audit, it is common for the CPA firm to recommend a readiness assessment as a first step. Readiness assessments include identifying gaps within the system and providing industry best practices to remediate those gaps. As a licensed CPA firm, we are uniquely qualified to perform readiness services. We undergo regular peer reviews and independent evaluations to ensure that the strict AICPA guidelines are upheld in all services we provide.

As the #1 issuer of SOC 2 reports in the world, our firm is built on the trust of our clients and we go to great lengths to remain impartial while always having a mind toward the customer.

For the past 13+ years, we have helped thousands of organizations throughout the ENTIRE SOC 2 journey including readiness, audit fieldwork, evidence review, and final report delivery without requiring involvement of third-party vendors. Our experienced team of auditors guide organizations on industry best practices throughout the audit, while upholding A-LIGN’s professional and ethical values.

It’s important to note that software vendors are not peer reviewed, held to any industry standards, or audited by governing bodies.

How A-LIGN Delivers Trust

Our auditors are experts on the standards and ensure we can deliver what is most important to our customers — TRUST. Our firm has undergone four peer reviews mandated by the AICPA and annual audits for The ANSI National Accreditation Board (ANAB) and American Association for Laboratory Accreditation (A2LA). We also submit annual questionnaires for PCI and went through our first CMMC audit. A-LIGN holds several designations, including:

• Licensed CPA firm
• Accredited ISO/IEC 27001:2013, ISO/IEC 27701:2019, and ISO 22301:2019 Certification Body
• HITRUST CSF Assessor Firm
• Accredited FedRAMP 3PAO
• Candidate CMMC C3PAO
• PCI Qualified Security Assessor Company

A-LIGN has delivered more than 5,000 SOC 2 reports for more than 2,500 clients. Our final reports are widely trusted in the marketplace and have a reputation for quality.

MYTH #2
It’s Easier to Use a Software Provider AND an Auditor

Fact: Using a software provider for your SOC 2 Readiness Assessment AND an auditor for your final report creates a disjointed audit process, and in turn, more work for your team.

All SOC 2 audits must be completed by an external auditor from a licensed CPA firm. If you plan to use a software solution to prepare for an audit, it’s helpful to work with a firm who can provide both the readiness software, perform the audit, and produce a reputable SOC 2 report. 

By working with A-LIGN and utilizing A-SCEND throughout your SOC 2 audit process, you’ll have access to your project dashboard to understand your audit in real time. This dashboard allows you to see all of your calls to action, overall progress, items that may be past due, and much more.

To expediate your audit, A-LIGN clients can use the automated evidence collection features of the A-SCEND platform to gather any remaining evidence. As this is a time intensive process, auditing experts highly recommend using a compliance automation software tool to save effort, time and resources.

After your report has been issued, we recommend reviewing A-SCEND’s Crosswalk feature to view how close you are to completing additional compliance assessments. For example, if you have completed a full-scope SOC 2 report with A-SCEND, you’ve also met 90% of HIPAA compliance and 100% of SOC 1 evidence requirements. The Crosswalk feature allows you to benchmark your organization’s compliance against other standard requirements to streamline and consolidate your compliance needs.

MYTH #3
SOC 2 Readiness Assessments Aren’t Necessary in the Audit Process

Fact: SOC 2 readiness assessments can expediate the audit process, saving you time, budget and resources.

Going into your first SOC 2 examination unprepared can be costly to your organization. Identification and remediation of gaps is a critical step in preparing for your audit. Often preparedness activities performed by a non-CPA can provide organizations with a false sense of security with common issues that include incorrect scoping, misleading timelines and failure to understand the intent of the comprehensive requirements.

How can A-LIGN assist? Our automated SOC 2 Readiness Assessment includes a list of questions to answer about your organization’s security posture through our compliance automation software, A-SCEND. Based on your responses, A-SCEND will generate a comprehensive report to gauge your level of readiness. A-LIGN professionals are available to aid in review of the gaps and best practices so that customers can begin remediation.

As a CPA firm, how does A-LIGN maintain independence during the review process? We provide you with best-in-class templates that your organization can use to create any missing policies through our Policy Center in A-SCEND. A-LIGN refrains from making any managerial decisions or actions on behalf of your company, and will not:

• Implement controls on your behalf
• Provide step-by-step direction on how to remediate a control gap
• Write your policies and procedures
• Configure your systems, tools, or applications

Our experts can help you navigate the common issues experienced for organizations that are new to the SOC 2 journey. Our professionals are available to answer your questions that may come up during the readiness assessment.

The Benefits of SOC 2 Readiness Assessments

A-SCEND’s SOC 2 Readiness Assessment minimizes cost and increases productivity, helping your organization become SOC 2 compliant.  Overall, a SOC 2 Readiness Assessment can:

• Make SOC 2 Compliance Easy: With everything you need to prepare for your SOC 2 exam, our readiness assessment lays out the questions in a language you’ll understand with multiple-choice Q&As. 
• Remediate Issues Before Your Exam: Discover any issues or gaps prior to your audit via an easy-to-read readiness assessment report available for download.
• On-Demand, Expert Advice: Our expert auditors answer your questions through the comments function or live auditor assistance.
• Learn from the #1 SOC 2 Report Issuer: Our expert auditors have completed thousands of audits and will provide tips and recommendations to assist throughout the SOC 2 exam.
• Complete SOC 2 Without Switching Auditors: The information from your readiness assessment will directly relate to your Information Request List (IRL) during the audit process. Any evidence you already uploaded will automatically transfer over to your SOC 2 examination.

Better Prepare for Your SOC 2 Examination

A-SCEND’s SOC 2 Readiness Assessment is the only compliance management solution that includes live auditor assistance from a CPA firm. Once you’ve prepared for your SOC 2 examination, there’s no need to find another auditing firm- our professionals can take you from readiness to final report. To learn more about our SOC 2 Readiness Assessment, please complete the form below.