Today I wanted to write a quick note to the AICPA to congratulate them for creating the most rigorous and successful security standard of the 2020’s.

It is clear from its widespread adoption that everyone knows they need to do a SOC 2.

It is particularly impressive that firms feel this way given the range of options to perform a SOC 2. Is it a CPA? Does the CPA sign? What else does the CPA have to do? How do firms know which CPA firm to choose? Well somehow, they are overcoming this uncertainty and forging ahead and doing these audits.

One thing that is amazing is that the results are so consistent from Big 4 accounting firms to big tech specialty firms to small mom and pop accounting firms looking at security. This must be a function of the rigourous training and standards in place for these audits.

It is very good that the audit periods are clearly defined and we don’t have firms doing 3-6-12 month audits willy nilly.

I also appreciate how easy the reports are to read. For one, the scope is always very technical and clear. For another, the controls leave no doubt that the auditor clearly understood the security of the system. The clear organization and summary of the report makes it very easy to digest the information.

Reading a SOC 2 report and learning that there were no exceptions makes me trust the vendor so much more than I did prior to reading the report, because I know they had to pay at least $10,000 to someone to get that report.

Ultimately, I’m perhaps most glad that they haven’t let the standard get eroded or confused by either poor auditors or tools that automate compliance - those folks have been embraced and brought into the fold to make the SOC 2 juggernaut even more powerful.

The fact that no firms with solid SOC 2 audits have been hacked is a testament to the standard itself.

Congratulations. Keep up the great work!