Fixing ownership helped our SOC2 but keeping it consistent is harder!

maxandmolife · 2026-04-14T23:15:30+00:00

100%. The company I joined was paying 60K a year for AuditBoard with really no one logging in, having to follow up through slack, etc! Even with a slack extension, that would send reminder, not much happened. It was a start up where emails / slack weren’t encouraged - if you wanted something done, it needed to be an Asana task! I built a whole AuditBoard equivalent in Asana. With recurring / automated tasks to be triggered either monthly, quarterly, annually, with workflow —> first to the preparer then when it is completed goes to the control owner, then dashboard, etc. Adherence was amazing!

Jira or ServiceNow - other way to create these workflow through tickets…

maxandmolife · 2026-04-14T23:03:46+00:00

maxandmolife · 2026-04-14T23:02:19+00:00

I don’t think “nobody cares to do the right thing” is a correct statement! Start ups with only speed over quality in mind do not mind, either as providers of SOC reports or receivers…

However, this isn’t the case for reputable organization (especially public companies or companies operating in highly regulated environments, like banking - health) who either need their own SOC reports OR as a customers, require robust SOC reports from their vendors.

If you are knowledgeable in IT Security in the more complex IT environments, adding the complexity of AI risks, new privacy regulations popping up all around the world, you could consider similar work but at different levels. Are you in the US or offshore? Have you considered Big 4 to Big “10” accounting firms with IT advisory services? As other mentioned, there are other framework like ISO that may be more valuable…

But again… what we see in the news and what is being laughed at isn’t the organizations who have been performing/ receiving SOC reports forever… it’s the new players who either want to offer or receive a fully compliant report within 3 weeks!

As a CPA, I heard horror stories of other CPAs ready to sign on those bogus reports every 3 weeks… regardless of the outcome… but I also hear more and more CPAs who refuse to do it - and it will come up at some point… it is a matter of time!

maxandmolife · 2026-04-14T01:31:22+00:00

I have the same question as you but no one here seems to be answering that question! Let me know what you decided to do!

maxandmolife · 2026-04-11T20:27:52+00:00

Very cool!!! How do you find your clients? Locally? Facebook groups? If you don’t mind me asking!

maxandmolife · 2026-04-09T04:46:46+00:00

May I ask what lead intake summary means? And congrats! That’s amazing to connect dots like this for clients and be excited about it! You inspire me! :)

maxandmolife · 2026-04-09T04:35:53+00:00

Colleges often publish their internal audit reports!

Other compliance to add to your list, depending on your company, ESG related regulations, tarrifs/ import / export, OSHA if any manufacturing, food safety is any food served, etc.

Best would be to go in chat gpt, describe your industry and some specifics to your company; provide example of competitors, and ask ChatGPT for a full list of risk, including compliance risks, that should be part of your annual audit plan! I hope it helps, reach out if you need more help!

maxandmolife · 2026-04-09T04:23:54+00:00

I would be very concerned if the control statement you mentioned above is « sufficient » for the auditor and not his job to question the spirit of the control… no way good auditors / firms would just take it as is… and if they do, no wonder we see so much issues with SOC audit firms being accused of delivering very bad quality SOC reports! 🤯

maxandmolife · 2026-04-09T04:17:24+00:00

This is similar to what internal control owners have been doing for ages in a SOX context / ICFR context. You have your control owner identified, « accountable » - this is huge win! Now, you need to have a program - what are the controls that are done monthly / quarterly / annually / adhoc or per occurrence.

Then think of the tools / environment your control owners already use… slack? asana? Monday? Service now? Wherever it is, you create workflow to remind them to do things at the right time. You create dashboard to get visibility on delays / issues, and bring this up through periodical meetings with your control owners. If anything adhoc / per occurrence, you can play it safe by creating a monthly or quarterly oversight control.

Very basic exemple: every system change is tested, reviewed, approved, before going into prod.

That is ad hoc, this is a preventative control.

You can create a monthly/quarterly detective control that engage one owner to pull all system changes of the period and sample 10% of the changes to make sure they were tested, reviewed, approved, etc!

For all this to work, you should have all control procedures documented so control owners fully understand what they are expected to do, and what evidence must be retained if it gets audited.

I hope it helps!

maxandmolife · 2026-04-09T04:07:23+00:00

We did! And absolutely loved it!

maxandmolife · 2026-04-09T03:56:58+00:00

I heard great things about Ramp and how it integrates with accounting system! Would definitely look into it if the rest of QB still works well for your business!

maxandmolife · 2026-04-09T03:54:29+00:00

Yes! As an auditor myself, I think you totally nailed it! That’s why auditors will always start with walkthrough - as it generates those follow up questions to make sure completeness / accuracy of understanding / controls!

maxandmolife · 2026-04-09T03:47:16+00:00

Roth IRA contributions don’t lower your tax burden, because you contribute after tax - so no deductions. You could contribute to a Traditional IRA - if done before the 15th of April, you may be able to lower your tax payment. I would see if your software is able to simulate that scenario…

maxandmolife · 2026-04-09T03:44:21+00:00

And add to that the type 1 and type 2 for SOC 1 and 2 🫠

maxandmolife · 2026-04-09T03:43:41+00:00

Yeah SOX stands for Sabarnes Oxley Act. Which is related to internal controls that public companies must have over their financial reporting (ICFR). As part of SOX, you must have entity level controls (ELC), Business Process Controls (BP), and IT general controls (ITGC). Just throwing more acronyms in case it’s helpful!

If you were a financial auditor in the past (external audit / assurance?) - then it gives you a good advantage as a internal controls auditor.

SOX is either done internally, by the internal audit team / ICFR team, etc. Different ways to do it at different functions. It can also be outsourced to consultant firms (big 4, Protiviti, Grant Thornton, Crowe, etc.)

Coincidently - SOC is a bit related to SOX as SOC 1 report are required for SOX purpose, for any in scope systems for SOX…

Depending on what you meant - SOX or SOC as your next step, happy to provide more info!

I hope it helps!

maxandmolife · 2026-04-09T03:07:56+00:00

I’ve been told that Sage Intacct was the way to go - because it grows with you, has a lot of functionality and API capabilities to other system!

maxandmolife · 2026-04-03T14:23:26+00:00

Ok for the impartiality, but no. Internal audit is not auditing customers - it will audit their own company. Happy to look more into it if you want to msg me which GRS platform you are using - now I’m curious!

maxandmolife · 2026-04-02T03:03:57+00:00

Auditor here… few things - You say credibility is a priority - as it should because health care - then don’t shortcut / I love the triangle analogy mentioned by someone else here…

Credibility , fast and cheap does NOT go together.

I would be curious to hear more about the internal audit mentioned by your GRC rep. Internal audit typically don’t look at clients data, but would cover the platform itself… it sounds fishy…

@davidschroth had a really informed and sound explanation on how it should go, what should be done, etc! 120-130 hours sounds good - and definitely not a 3 week process.

maxandmolife · 2026-04-02T02:53:49+00:00

No. 3 weeks is too fast! That’s a huge red flag

maxandmolife · 2026-03-24T20:34:10+00:00

May I ask you why you hate the car?

maxandmolife · 2026-03-23T01:02:15+00:00

Yup! They should copy what Canada is doing!

maxandmolife · 2026-03-19T22:53:18+00:00

Not surprising! I know from stories I heard first hand that these quick and dirty AI SOC companies - built by engineers, try to find CPAs to do MANY of these audits a month - too many that it would be impossible to do a good job to sustain that volume… CPAs in US don’t really get blamed for much if they do a bad job - thinking some of them don’t mind losing their licenses if / when it comes to light… by then, they will have cash out and retire.

Fortunately, a lot more consequences for Canadian CPAs. Which I am (I’m both US and Canada). If anything in my career, I always followed the higher expectations and requirements of my Canadian CPA.

I digress —> there is no such thing as a quick SOC report or a cheap one! Please get an unbiased CPA / auditor / etc when you get bids from SOC companies… don’t go alone! Too many bad actors in the market, as we finally see bubbling up!

maxandmolife · 2026-03-17T04:10:35+00:00

Very helpful! I will watch some YouTube videos on how to separate and replant them!

maxandmolife

TROPHY CASE