- CPA to Cybersecurity
- Posts
- SOX vs SOC 2: A Convergence of Compliance
SOX vs SOC 2: A Convergence of Compliance
Steve McMichael
January 25, 2024
It's fascinating to see financial compliance and cybersecurity compliance converging in the headlines recently, especially with the new SEC rules. For those of us interested in Sarbanes-Oxley (SOX) and SOC2 compliance, this is an exciting time. We're a small but mighty group, and our services are in high demand. Customers with third-party risk management programs are raising the bar, demanding trust and assurance from their vendors. This creates external demand. Internally, cyber risk is becoming a boardroom issue, adding more work for compliance teams. These factors are driving the headlines.
One headline asks if the SEC can use SOX as a model to get cybersecurity rules right. Another announces that the SEC has approved new cyber reporting regulations for public companies. Thought leaders are suggesting that SOX is a model that should be used for cybersecurity. As someone who has worked in both worlds, I find this dialogue fascinating. The scope is big and complicated, and I believe this conversation will continue for at least the next decade.
I want to contribute what I've learned from my experience in both SOX compliance and cybersecurity governance-based compliance. I've created a list of 10 differences between SOX and SOC2 to help everyone level up as these worlds collide. I'm using SOC2 as a representative example of cybersecurity compliance, picking from an alphabet soup of fragmented options.
Contents
What Is It?
SOX is a law for financial reporting. SOC 2, on the other hand, is not a law. It's an assurance report for third-party audits, focusing on cybersecurity and sometimes privacy.
SOX | SOC2 |
|---|---|
Law for Financial Reporting | Assurance report for third party audits of cybersecurity and privacy |
Who Does It?
SOX is mandatory for all publicly listed companies in America. SOC 2 is optional and not limited to cloud service providers. It can apply to various organizations, including data centers and managed security service providers (MSSPs).
SOX | SOC2 |
|---|---|
Publicly listed companies | Cloud Service Providers Data Centers Managed Security Service Providers (MSSPs) Security Operations Centres (SOC) Payroll processors Benefits administration providers |
Who is it for?
SOX is for investors, providing them with trust in financial reporting. SOC 2 is for customers who need assurance about their vendors' cybersecurity practices.
SOX | SOC2 |
|---|---|
Investors | Customers |
Why Do We Do It?
Both SOX and SOC 2 are about trust. SOX was created in response to corporate and accounting scandals in the early 2000s to restore trust in financial markets. Cybersecurity compliance aims to provide assurance in the digital age, where cybercrime poses significant risks.
SOX | SOC2 |
|---|---|
Finance is about trust Prevent, detect, deter corporate and accounting scandals | Cybersecurity is also about trust Prevent, detect and deter Internet risks |
SOX: For Trust in Financial Systems, to Have Liquidity in Capital Markets
SOC2: Customer Assurance, Transparency, Improvement
Customers need trust and assurance
Contractual commitments
Security questionnaires, RFPs and vendor risk management inquiries
More efficient for all parties than client specific audits
Demonstrate leadership
Providing transparency
Externally and internally for management, operators, customers, business partners
Continuously improving
Foundation for security and risk management program
Improve maturity of controls for people, processes and technology
Reduce risk
Cost
SOX audit fees can easily reach millions of dollars, while SOC 2 audits typically cost tens to hundreds of thousands. Despite the costs, both are considered worthwhile investments.
SOX | SOC2 |
|---|---|
$Millions | $Tens or hundreds of thousands |
Too Expensive?
SOX | SOC2 |
|---|---|
No, if done well One measure of ROI is that it enabled liquidity (trust) in capital markets | No, if done well |
Regulation
SOX has a regulator, the Public Company Accounting Oversight Board (PCAOB). SOC 2 does not have a regulator but is conducted by CPAs who are self-regulated.
SOX | SOC2 |
|---|---|
Yes | No, but CPAs are self-regulated |
Mindset
SOX operates with a business mindset, assuming people are generally good and will act appropriately with sufficient governance. Cybersecurity, however, operates with a military mindset, preparing for worst-case scenarios like cyberattacks.
SOX | SOC2 |
|---|---|
Business (COSO) | Military (DoD) |
Chemistry vs Alchemy
Accounting is like chemistry; we know the inputs and outputs and how they relate. Cybersecurity is more like alchemy; it's subjective and lacks universally accepted principles.
SOX | SOC2 |
|---|---|
Chemistry | Chemistry with Alchemy |
Robustness of Procedures
SOX procedures are very robust, involving detailed checks of financial records. SOC 2 procedures vary by firm but generally include quality assurance reviews.
Impact
SOX has been in effect since 2002 and has unified fragmented standards in financial reporting. SOC 2, introduced in 2010, still deals with fragmented standards in cybersecurity.
SOX | SOC2 |
|---|---|
2002 | 2010 (or the equivalent under a different name going back way earlier) |
Evolution of Accounting Compliance to IT Audit in Finance to Cybersecurity
Bottom Line
In summary, while SOX and SOC 2 serve different purposes and operate under different frameworks, they both aim to provide trust and assurance in their respective fields. As these worlds continue to converge, understanding their differences and similarities will be crucial for navigating the evolving landscape of compliance.
I hope this comparison helps further the ongoing discussion in our community. Feedback is always welcome.
Thanks for reading. Be safe and be well.