There has been a heated and, in my opinion, important debate recently over what has led to the commoditization of SOC 2 and the destruction of its value.
Originally, the blame was placed on audit automation tools. Some pointed to their mere existence as the root problem; others focused on their messaging (e.g., “SOC 2 in weeks, not days,” “put SOC 2 on auto-pilot,” etc.). The most recent take (often promoted by the vendors selling these solutions) argues that CPAs who offer low-grade reports and the AICPA’s lack of enforcement are to blame.
While I agree with the majority opinion that it’s most likely a combination of all of the above, I think the original sin isn’t so much how audit automation was marketed, but who it was marketed to.
Democratization: The demise of SOC 2
With growing market demand among small start-ups looking for a SOC 2 report to start selling upmarket, many vendors embarked on a noble quest to make SOC 2 accessible to these companies as well. Understanding that small start-ups couldn’t afford a GRC function to build out and operate a program, new vendors began building and marketing a tool to non-GRC professionals (CEOs, CTOs, etc.). And there lay the birth of SOC-in-a-box.
This busy target audience views compliance, as they do most things, from a direct business value perspective, i.e., initial revenue. They grind in founder mode and need to prove product-market fit ASAP. They look for the quickest way to buy a SOC 2 report without having the necessary skills and knowledge to know what they are actually being sold (not all attestation letters are created equal).
<span class="blue-box-span">Building a GRC tool for non-GRC practitioners was where the demise of SOC 2 began. It shifted the focus from doing it right to doing it quickly, from monitoring controls and ensuring they are properly implemented to checking boxes to pass an audit.</span>
Why is this the original sin? Well, it was the literal first step towards the commoditization of SOC 2. But it wasn't just a first step; it was the first domino to fall.
{{ banner-image }}
The catch-22 of democratizing GRC
Increasing access to a helpful resource is usually a positive thing. It may sound harsh to deny a startup CTO of their SOC 2 report, seeing as the only crime they are guilty of is trying to do business, but hear me out. By selling them what they want, audit automation vendors devalued the report, which deprives them of what they really want anyway. It's a catch-22.
And the damage of giving them “what they want” doesn’t end there. Not only do those startups suffer (a report that’s not credible doesn’t open many doors), but the rest of the market suffers, too.
Building audit automation tools for non-GRC professionals created a demand for cheap CPAs that will issue reports for check-the-box programs. CEOs who used these check-the-box vendors and established questionable GRC programs needed someone to issue them a report, and for cheap.
Some vendors went even further, offering bundles with these audit firms, forcing CPAs to lower prices and accept the work done on their tools if they wanted the vendor to refer them business, thereby establishing the complete SOC-in-a-Box offer. This doesn’t excuse the auditors for their role in the commoditization; it simply explains where the demand for such reports came from.
And the impact of democratization didn’t end there, either. It also changed the way management teams in growth companies view GRC. When small businesses using SOC-in-a-Box solutions grow and eventually hire a GRC practitioner or even a team to manage the chaos, their work is cut out for them. Having done the first SOC 2 on their own, the CEO thinks they know what they are doing, so resists allocating an appropriate budget for GRC initiatives. They definitely aren’t interested in reputable auditors or mature GRC solutions, which come with heftier price tags.
Finding a new path forward
While it truly was a noble cause, trying to help a wider audience build trust with enterprise customers ended up harming the entire ecosystem.
Attempting to mirror the way enterprises do it (e.g. external attestations by reputable third-party CPA firms of operational controls) has failed. A small start-up doesn’t have the program in place, nor does it have the resources to engage with a reputable firm that can truly help build trust. Attempts to force this square peg into a round hole have caused a lot of damage along the way, and the only real beneficiaries were the audit automation vendors.
A path that allows start-ups to establish trust without harming the ecosystem is out there, democratization just wasn’t it.
Key Takeaways
What you will learn
About the author
