Compliance

Auditors: Don’t let the SOC-in-a-box phenomenon undo everything you have built

Ethan Altmann
|
May 23, 2024
May 6, 2024
Table of Contents

Honest auditors, we know what you are going through. Your ecosystem has been invaded by a shady underworld…one that poses a threat to the integrity and professionalism of your work, and that undercuts your business, directly impacting margins. This piece will dive into why and how this is happening, and perhaps how we can ensure that it has an expiry date. Ultimately, the good guys always win out, right?

Being an information security auditor in 2024 is no easy feat. To some extent, you are expected to be an expert in cloud infrastructure configurations, secure development practices, human resources processes, IT device management and more, and understand the business context and the corresponding processes. Is this a reasonable expectation? Perhaps, perhaps not, but if you are expected to audit these areas whilst upholding high standards, is it simply a given that concessions must be made? 

If the answer is yes - which concessions are acceptable to make? Which compensating controls can be put in place in order to attempt to offset these sacrifices? And if the answer is no, how can an audit firm attract the caliber of professionalism required? What is the cost of such professionals? I definitely do not have all the answers - but let’s dig in a little. 

A common phenomenon of the last 3 years or so is as follows - audit automation tool/s that shall not be named engages small organization looking to receive a SOC2 report ASAP. Audit automation tool offers the platform at a subsidized rate as part of a package deal with a “preferred” audit firm who shall conduct the SOC2 audit within the tool. An unspoken agreement is made - the audit shall occur swiftly and without fuss, the tool doing the “work”.

The unintended consequences of this phenomenon impact the world of information security auditing across a host of areas - audit integrity, quality assurance and even profitability. ISO/IEC 17021 (the standard ISO certification bodies must adhere to) places a significant emphasis on “impartiality” and defines impartiality as “the presence of objectivity”, and adds that “objectivity means that conflicts of interest do not exist, or are resolved so as not to adversely influence subsequent activities of the certification body”. 

Let’s run some basic math, staying conservative - a standard SOC-in-a-box audit can cost anywhere from $5-8k. I have consulted with leading audit firms (those that do not conform to the SOC-in-a-box approach), and learned that a SOC2 Type 2 audit, when conducted as per AICPA guidelines, typically ranges between being a 100-200 hour engagement, dependent on size and complexity of the auditee environment. 

Taking the extremes in interest of conservatism, let's explore the financials here: 

  • $8000 audit contract / 100 SoW hours = $80 hourly revenue per audit engagement
  • 107,000 / 1928 = $55 * 1.25 = employee cost of $69 per hour

So, at a margin of 14% on the audit, before factoring in all other overheads the audit firm would have, it is clear that the model would not be profitable. 

Is the absence of a profitable business model a direct impact on impartiality? I suspect so, and hence, I suspect auditors involved in these practices would not be able to meet their obligations with regards to accreditation standards (those of the National Accreditation Commission, that lead AICPA accreditation processes). 

So, to my original question, what are the concessions being made to make this all make financial sense? Ultimately, an audit firm, unlike VC-funded startups, must maintain profitability.

  • Much cheaper labor than the average salary quoted above is being recruited and leveraged for these engagements. How is this possible? Well, these auditors are much less experienced and qualified, and as a consequence, much less stringent and accurate testing and reporting work is performed. 
  • The engagement is completed in much less than 100 hours by “leveraging” out of the box test-results that oftentimes, do not tell the full story. What are the consequences? A lack of depth and quality of scoping/testing/reporting.

These are just two examples - there are more, but they will likely come to light another day. The bottom line remains the same…when the financial bottom line doesn’t make sense, concessions must be made in order for the model to continue to operate. The concessions being made in the world of SOC auditing are degrading the value of reports, which in turn is degrading the value of your audit firm, your reputation, and information security auditing as a whole. 

My message is simple - SOC reports were a source of trust, but this trust is on the verge of being completely lost, as the industry is losing faith in dummy reports. As is the natural course, the industry will find another way to demonstrate trust and to evaluate vendors, and audit firms will bear the brunt of this shift. But, perhaps it’s not too late - the provision of quality work that leads to trustworthy, in-depth reports does not go unnoticed, even in today’s climate. Unfortunately, it is just scarce.

----
Average salary for information security auditor in USA

2008 working hours in 2024 - 10 PTO days, assuming 8 hr work days

Cost to employer is between 1.24-1.4x employee salary

Margin calculated as 1-(hourly employee cost/hourly revenue)


{{banner-image}}

Ethan Altmann
Compliance Product Owner - Chief framework cross-referencer, Control-understander, Evidence-mapper
Link 1
Link 1
Link 1