By Troy Fine
Organizations that want to verify that they’re adhering to a variety of compliance frameworks can turn to outside auditors for help. But how do they know these auditors are above-board? Drata’s Troy Fine explores the nuances of (just a fraction of) the audit oversight agencies that brush up against the compliance industry.
A number of oversight bodies interact with the compliance industry, each providing quality control from a slightly different angle. For example:
- To perform a SOC 2 audit, a CPA firm based in the U.S. must be enrolled in the Association of International Certified Professional Accountants (AICPA) peer review program.
- The International Accreditation Forum (IAF) issues accreditation to certification bodies that wish to perform ISO 27001 audits.
- HITRUST reviews and approves firms providing external assessments and other services associated with the HITRUST assurance program.
- The Public Company Accounting Oversight Board (PCAOB) is a nonprofit organization established by Congress that oversees the financial audits of public companies, with the goal of protecting investors.
This alphabet soup of acronyms only scratches the surface of the selection of bodies that provide some degree of oversight and quality assurance within the compliance industry. It’s good that these organizations exist — they provide valuable insight for organizations looking to make informed compliance decisions, but keeping everything straight is often easier said than done.
The role of oversight
In the security industry, frameworks and standards like SOC 2, ISO 27001 and others create a baseline security standard for organizations to adhere to. Some, like HIPAA, focus squarely on certain industries and others, like the EU GDPR and California’s CPRA, are geared toward data privacy rather than explicitly focusing on security. While regulations like GDPR and CPRA are usually only invoked after a violation has occurred, SOC 2, ISO 27001 and others require organizations to perform audits at regular intervals in order to maintain compliance.
Who performs those audits matters. A SOC 2 audit must be performed by a CPA firm, but CPA firms can have varying degrees of expertise and quality. Does the firm in question have a history of performing SOC 2 audits? Are there peer review reports available that provide insights into its performance? Do they behave ethically or are there red flags to worry about? These are all important questions, and oversight bodies like AICPA can help answer them before beginning the audit process. To continue with the SOC 2 example, a CPA firm’s most recent peer review report is always published on the AICPA website. If no report is available, it means the firm is not enrolled in the program and should not be used for a SOC 2 audit.
Other compliance frameworks can be trickier. Technically, any CPA firm can perform an ISO 27001 audit, but accreditation exists to ensure quality. Many organizations may not even know that there is an accreditation process for ISO 27001 certification bodies, and this can result in audits being performed by less-than-reputable firms. That may not mean much to the organization being audited, but when a potential partner or customer asks to see their ISO 27001 certificate, they are sure to notice that it was issued by an unaccredited certification body. This can have negative consequences from both a business and reputational standpoint.
While SOC 2 and ISO 27001 are just two examples, it’s a good idea for organizations to familiarize themselves with the bodies that oversee any compliance standard with which they may eventually need to comply.
Enforcement — and what it means
One of the common complaints about oversight in the compliance industry is the lack of teeth. And it’s true that, for the most part, punishments handed down by oversight bodies in this area tend to be more reputation-focused. The AICPA, for example, can expel or suspend members found to have violated ethical standards for a period of up to two years, during which time they may not identify or present themselves as an AICPA member. While not a monetary fine, this can have a significant impact on a CPA firm, which will find it much more difficult to find clients in the future.
Other bodies are beginning to engage in more direct corrective action. Late last year, the PCAOB handed down $7.7 million in penalties to both firms and individuals found to have violated professional auditing standards. These were not the first fines to be issued by the PCAOB, but they reflect the increased willingness of the organization to levy significant penalties. In late 2021, the SEC appointed four new board members to the PCAOB and made it clear that it wasn’t happy with the prior regime’s lack of enforcement.
With a new directive — and new resources at its disposal — the PCAOB has since stepped up its investigation of unethical auditing practices and worked to punish them appropriately. In the past, the organization simply didn’t have the ability to go after every bad audit brought to its attention — but with the backing of the SEC, it now provides consumers with a valuable new resource. If a firm has been recently penalized by the PCAOB, it may be best to steer clear.
Who is all this for?
The truth is, for most organizations, compliance is sometimes viewed as little more than a box to be checked. Before entering into a business relationship, organizations want to know that their data will be handled with the appropriate level of care, and compliance frameworks provide them with a means to gauge a business’s security capabilities against accepted standards. This creates a situation where the potential customers and partners are more interested (and invested) in the quality of the audit than the firm actually being audited. Again, it’s easy to see why some organizations just want to check the box and move on — but it’s also easy to see why that is a mistake.
This is why these oversight bodies are so important. An organization receiving an ISO 27001 audit may not think to check whether the certification body is accredited — but the potential partner asking for the report certainly will. A business undergoing its first SOC 2 audit may not think to check whether the auditor is in good standing in its home state — but a potential customer might take note. In today’s world, it is incredibly easy to verify whether a potential auditing firm is registered with the appropriate oversight body, is properly accredited or has been recently fined or penalized — and failing to do so can result in reputational damage and lost business.