SOC 2 is, by far, the single most requested document in TPRM circles. The “Service Organization Report” is a document prepared by a CPA firm using (usually) well-qualified information systems auditors. Much of the value of a SOC 2 report derives from the fact that an independent third-party is attesting to the design of information security controls (in a SOC 2 Type I) and the design and operation of information security controls (in a SOC 2 Type II). It isn’t just that a company says it has good controls, the company must prove it does… to an independent auditor.
Why SOC 2 Isn’t the Only Game in Town
If your company sells IT-related services to other companies, it is very likely your customers and prospects have requested a SOC 2 report, but an Agreed Upon Procedures document could give you what you need with a much-lower investment.
If you have an SOC report to provide, you probably hate it because it was (in all likelihood) extremely expensive (reports often cost well into six figures), very complex and resource-intensive, and currently offers little value beyond giving you a 100-page report that only an auditor can understand.
If you don’t have one completed, you probably hate the SOC 2 because you are barraged with clients asking for other documentation in lieu of the SOC 2, and asking why you haven’t got one.
For many small to midsize companies, it’s out of reach. The cost, the complexity, the resource drain… these are all significant barriers to complete a SOC 2.
If you’re contractually obligated to provide a SOC 2, you may have no choice but to bite the bullet. If not, there are alternatives that can be vastly less expensive, far more useful to your organization, and more valuable to your customer as well. Believe it or not, these alternatives can still provide the required attestation from an independent third-party.
Agreed Upon Procedures and Other SOC Alternatives
The largest standards group and professional association for third-party risk management in the world today is the Shared Assessments Organization. Shared Assessments provides a wide array of products and services, including the well-known Standard Information Gathering (SIG) questionnaire, the premier professional certification in third-party risk management (the Certified Third Party Risk Professional, or CTPRP certification), the free-to-use Vendor Risk Management Maturity Model (VRMMM or “vroom,” to be discussed in a later blog), and a highly useful tool called the Agreed Upon Procedures or AUP.
The Agreed Upon Procedures tool is a comprehensive assessment tool, completed by and attested to by an independent professional auditor, which evaluates and reports on a company’s information security control design and operation. Sound familiar?
But the AUP is significantly different from a SOC 2 report and, while currently less-well-known, can be a compelling alternative. As a professional auditor who requests and reads many SOC 2 reports, I prefer it, in many cases, to a SOC 2 report. And Agreed Upon Procedures might be a better alternative for your company.
5 Reasons to Use Agreed Upon Procedures Instead of SOC 2
Here are five reasons why the Agreed Upon Procedures report beats SOC 2.
1. AUP can be considerably less expensive to obtain. Why? First, the audit program is already written, whereas the audit program underlying a SOC 2 report must be essentially created from scratch for every engagement. Second, the time spent on-site for the review can be reduced; it’s easier for the auditor to specify in advance the evidence that he or she will require.
2. AUP can require considerably fewer service organization staff resources. An AUP audit typically requires 3-5 days at one client site, while a SOC 2 can require (in some cases) several weeks on-site, at various physical locations.
3. AUP can give your organization valuable, actionable information about the status of your information security management system (ISMS). SOC 2 reports often tend to be very narrowly scoped: the systems that will touch the client’s data are often the systems scoped into the SOC 2. The Agreed Upon Procedures tool considers those systems, but looks at a broader variety of controls across your entire infrastructure. It is also explicitly designed to map to the NIST and ISO 27001:2013 standards. If your organization is considering becoming ISO 27001 certified (a great idea, by the way), the AUP can give you a very informative glimpse into your strong and weak areas. Some organizations have used the AUP as a tool to determine their readiness to undertake the ISO 27001 certification process.
4. AUP can provide your customers and clients with information not readily obtainable from many SOC 2 reports. The AUP includes detailed information about sample sizes, testing methodology, and attributes considered. For example, your client could see from the AUP report that your organization has a process for detecting unauthorized wireless networks, that there is evidence the process is being utilized, whether any unauthorized wireless networks were detected in the previous six months and, if so, whether they were removed. This level of detail is generally not included in a SOC 2 report.
5. AUP can be more objective. Just like in a SOC 2 report, an AUP requires the attestation of a qualified professional auditor (usually a Certified Information Systems Auditor, or CISA). But it adds an element of objectivity that is difficult to duplicate in a SOC 2. The assessment tool is designed to determine whether a control exists or not. It still requires the professional expertise and judgment of a competent auditor, but it makes it easier for a reviewer to understand what objective evidence was used, what criteria were used to examine that evidence, and what the empirical evidence was of its effectiveness.
If your company is being asked to produce a SOC 2 report, or is being asked for other documentation to demonstrate the effectiveness of your information security management system, please consider that there are alternatives to a SOC 2, and for many cases, one of these alternatives is the Shared Assessments AUP. In many cases, the AUP is not only less expensive, but also more useful, and is a better means of communicating the real information that your clients and customers need.
If you’d like more information about the AUP and how Pivot Point Security can help you complete one or evaluate the alternatives, please contact us for a no-pressure, free consultation.