Agreed-Upon Procedures vs. SOC 2 Audits: Which One Do You Need?
What is third-party risk management and why do you need it?
All business owners need to work with outside vendors, or third-party business owners, to keep business moving forward. Obviously, right? You can’t perform all tasks yourself, so you need to enlist some services and products through outside entities.
In the course of doing business with these important service and product providers, it is crucial that you keep your company’s information – whether internal information or your customers’ sensitive information – safe when working with third-parties through the adoption of some type of third-party risk management (TPRM) strategy.
Community Banking Connections shares its view of the relationship between the client and the third-party vendor, stating that “Significant effort is required from both the institution and the third-party vendor to maximize the benefits received from the relationship, service, or product, while simultaneously minimizing associated risks.”
Regardless of the efforts that companies put into their respective cybersecurity plans, threats are everywhere, and they are always changing. Security Intelligence confirms the risk, sharing their findings that reveal that any business has a 1-in-4 chance of falling prey to a cyberattack.
In spite of the risks, organizations need to work together for mutual and respective success. Reaching out to a company that provides a specialized service, product or delivery channel under the right terms, can greatly reduce costs. And vendors need to sell their services and wares in a safe environment, so it is important for both businesses to find common ground, for their own business’s sake, as well as for the sake of their customers, stakeholders and brand reputation.
A solid TPRM strategy offers you, as the client, some variation of the following criteria:
- Remediation Plan Support.
For each service provider, you need continuous security guidance through the remediation effort.
It is important to understand the needs and assessment parameters from the beginning of your engagement.
Another important feature of monitoring your engagement with your third-party provider is a performance assessment, based on the scope of the relationship.
Once you have received your assessment, it is time to analyze the results.
Finally, you will need to prioritize your remediation efforts based on the results of your assessments.
IS AN AGREED-UPON PROCEDURE OR A SOC 2 AUDIT THE RIGHT THIRD-PARTY RISK MANAGEMENT FOR YOUR ORGANIZATION?
Agreed-upon procedures (AUP) and SOC 2 audits are the two most common tools that businesses use to manage TPRM, but how do business owners know which approach is correct? How do you know which one is right for your business?
WHAT IS AN AGREED-UPON PROCEDURE?
An AUP engagement is brokered between a client and a licensed CPA firm. The client might choose an AUP when following business procedures that require factual and unbiased information. Further, upon completion, the client will need to issue a report of findings, based on specific procedures that relate to a specific subject matter. The AUP must be performed according to AT Section 201 from the American Institute of Certified Public Accountants (AICPA).
The accountant merely issues a report of their findings without providing an opinion or negative assurance on the matter.
WHEN WOULD YOU USE AN AGREED-UPON PROCEDURE?
There are several practical reasons a business may choose an AUP engagement over a SOC 2 audit, including the following:
- Pursuing a Business Loan.
- Maintaining Compliance.
- Winning Contracts and Bids.
- Verifying Income Tax Revisions.
- Limiting Scope Reduces Fees.
Banks often need objective and factually based assurances regarding your receivables and inventory, which will serve as collateral for your loan. Your accountant can examine your financial statements in order to generate an objective and candid report for the bank to review.
If your organization is a non-profit or government agency, you need to make sure that you meet certain regulatory requirements.
This is another case where an AUP is ideal for a government contractor that needs an account of your indirect costs during a specific time frame to help determine the rates and costs principles used in compliance with current regulations. A report of a comprehensive indirect cost allocation plan, as well as a job cost accounting system, can help you win and keep government contracts you need.
Most businesses prefer to defer to the expertise of a reliable third-party auditor when it comes to dealing with the IRS. A CPA can go back through your returns, without the stress and anxiety you may be feeling, and find any errors and objectively note what occurred and how you may fix it.
By focusing one or two aspects of your business, you can save on CPA fees while maximizing the benefits of your review.
WHAT IS A SOC 2 AUDIT?
A SOC 2 audit report ensures the engaging companies that the 5 Trust Service Principles of Security, Availability, Processing Integrity, Confidentiality and Privacy are being addressed and adhered to by their service organization’s controls.
The SOC 2 auditor focuses on reviewing the controls at a service organization, according to the 5 Trust Service Principles:
- Processing Integrity.
The system is protected against unauthorized access, use or modification.
The system is readily available for use, according to the agreed terms.
The system is in agreed working order and is complete, valid, accurate and authorized for required use.
Information designated as confidential is treated as such.
The system’s collection, use, retention, disclosure and disposal of any personal information is done in conformity with commitments in accordance with the service organization’s privacy notice and with any criteria set forth in agreement.
There are two different types of SOC 2 audits for service organizations:
- Type 1.
- Type 2.
This audit examines the controls used by service organizations to address any one or all of the 5 Trust Service Principles and provides assurance that controls are designed and operating effectively to meet the desired objectives at a specific point in time.
The Type 2 SOC 2 audit includes all the same information as Type 1, but it includes additional attestation that a service organization’s controls are tested for operating effectiveness over a sustained period of time.
WHEN WOULD YOU USE A SOC 2 AUDIT?
A SOC 2 audit is intended to meet the needs of a broad range of users that require detailed information and assurance regarding the controls at a service organization, relating to security, availability and processing integrity of the systems used to process users’ data, as well as the confidentiality and privacy of the information processed by the systems.
A few of the most common reasons businesses need a SOC 2 audit include the followng:
- Organizational oversight
- Vendor management programs
- Internal corporate government and risk management issues
- Regulatory compliance oversight
Do You Need Help Determining Whether an AUP or SOC 2 Audit Is What You Need?
We understand that the difference between these types of examinations and reports seem subtle and can be confusing. If you need help determining which procedure fits your current needs, our auditors at I.S. Partners, LLC. can help answer your questions.