Agreed Upon Procedures (AUP) vs. SOC 2

Editor’s Note: This post was originally published in April 2017. It has been updated to reflect the name change from AUP to SCA.
A Standardized Control Assessment document (formerly known as an Agreed Upon Procedures document) is a great tool for third-party risk management (TPRM) and could be a far better option for smaller businesses when compared to the better-known SOC 2 report.
SOC 2 is, by far, the single most requested document in TPRM circles. The “Service Organization Report” is a document prepared by a CPA firm using (usually) well-qualified information systems auditors. Much of the value of a SOC 2 report derives from the fact that an independent third-party is attesting to the design of information security controls (in a SOC 2 Type I) and the design and operation of information security controls (in a SOC 2 Type II). It isn’t just that a company says it has good controls, the company must prove it does… to an independent auditor.

Why SOC 2 Isn’t the Only Game in Town
If your company sells IT-related services to other companies, it is very likely your customers and prospects have requested a SOC 2 report, but a Standardized Control Assessment document could give you what you need with a much-lower investment.
If you have a SOC report to provide, you probably hate it because it was (in all likelihood) extremely expensive (reports often cost well into six figures), very complex and resource-intensive, and currently offers little value beyond giving you a 100-page report that only an auditor can understand.
If you don’t have one completed, you probably hate the SOC 2 because you are barraged with clients asking for other documentation in lieu of the SOC 2, and asking why you haven’t got one.
For many small to midsize companies, it’s out of reach. The cost, the complexity, the resource drain… these are all significant barriers to complete a SOC 2.
If you’re contractually obligated to provide a SOC 2, you may have no choice but to bite the bullet. If not, there are alternatives that can be vastly less expensive, far more useful to your organization, and more valuable to your customer as well. Believe it or not, these alternatives can still provide the required attestation from an independent third-party.

Standardized Control Assessment and Other SOC Alternatives

The largest standards group and professional association for third-party risk management in the world today is the Shared Assessments Organization. Shared Assessments provides a wide array of products and services, including the well-known Standard Information Gathering (SIG) questionnaire, the premier professional certification in third-party risk management (the Certified Third Party Risk Professional, or CTPRP certification), the free-to-use Vendor Risk Management Maturity Model (VRMMM or “vroom,” to be discussed in a later blog), and a highly useful tool called the Standardized Control Assessment or SCA (formerly known as Agreed Upon Procedures or AUP).
The SCA tool is a comprehensive assessment tool, completed by and attested to by an independent professional auditor, which evaluates and reports on a company’s information security control design and operation. Sound familiar?
But the SCA is significantly different from a SOC 2 report and, while currently less-well-known, can be a compelling alternative. As a professional auditor who requests and reads many SOC 2 reports, I prefer it, in many cases, to a SOC 2 report. And Standardized Control Assessments might be a better alternative for your company.

5 Reasons to Use Standardized Control Assessments Instead of SOC 2

Here are five reasons why the SCA report beats SOC 2.
1. SCA can be considerably less expensive to obtain. Why? First, the audit program is already written, whereas the audit program underlying a SOC 2 report must be essentially created from scratch for every engagement. Second, the time spent on-site for the review can be reduced; it’s easier for the auditor to specify in advance the evidence that he or she will require.
2. SCA can require considerably fewer service organization staff resources. An SCA audit typically requires 3–5 days at one client site, while a SOC 2 can require (in some cases) several weeks on-site, at various physical locations.
3. SCA can give your organization valuable, actionable information about the status of your information security management system (ISMS). SOC 2 reports often tend to be very narrowly scoped: the systems that will touch the client’s data are often the systems scoped into the SOC 2. The Standardized Control Assessment tool considers those systems but looks at a broader variety of controls across your entire infrastructure. It is also explicitly designed to map to the NIST and ISO 27001:2013 standards. If your organization is considering becoming ISO 27001 certified (a great idea, by the way), the AUP can give you a very informative glimpse into your strong and weak areas. Some organizations have used the SCA as a tool to determine their readiness to undertake the ISO 27001 certification process.
4. SCA can provide your customers and clients with information not readily obtainable from many SOC 2 reports. The SCA includes detailed information about sample sizes, testing methodology, and attributes considered. For example, your client could see from the SCA report that your organization has a process for detecting unauthorized wireless networks, that there is evidence the process is being utilized, whether any unauthorized wireless networks were detected in the previous six months and, if so, whether they were removed. This level of detail is generally not included in a SOC 2 report.
5. SCA can be more objective. Just like in a SOC 2 report, an SCA requires the attestation of a qualified professional auditor (usually a Certified Information Systems Auditor, or CISA). But it adds an element of objectivity that is difficult to duplicate in a SOC 2. The assessment tool is designed to determine whether a control exists or not. It still requires the professional expertise and judgment of a competent auditor, but it makes it easier for a reviewer to understand what objective evidence was used, what criteria were used to examine that evidence, and what the empirical evidence was of its effectiveness.

If your company is being asked to produce a SOC 2 report or is being asked for other documentation to demonstrate the effectiveness of your information security management system, please consider that there are alternatives to a SOC 2, and for many cases, one of these alternatives is the Shared Assessments SCA. In many cases, the SCA is not only less expensive, but also more useful, and is a better means of communicating the real information that your clients and customers need.
If you’d like more information about the SCA and how Pivot Point Security can help you complete one or evaluate the alternatives, please contact us for a no-pressure, free consultation.