I began drafting this article some months back, but 2026 has been a little busier than our normal Q1 and it slipped my to-do list. Recent news in the SOC 2 world brought it back top of mind.
In college — pre-social media, to set the stage — I took a Fraud Examiners course as part of my Master's Program electives. My professor at the time made a statement that has held strong throughout my career:
"People, for a variety of reasons, will believe that what is too good to be true, is true when it is to their benefit."
As I've watched the rise of commodity SOC 2 reports and Trust programs built to meet the minimum standard of the AICPA's framework — and the fall of bespoke, customer-focused programs — this idea skips like a bad needle on vinyl in the back of my mind.
For the past two decades I have worked as a consultant helping my clients find value in their control frameworks: at EY, designing and implementing programs for some of the world's largest organizations, and at RISCPoint, seeing the gamut from small startups to large enterprise customers. The one consistent thread has been working with professionals who deeply care about their customers.
However, in my role as Chief Growth Officer at RISCPoint, I see a growing trend: organizations treating frameworks like SOC 2 as nothing more than a tax to be paid as painlessly as possible. The CPA profession has confused the market by allowing cheap, fast, and easy to become a replacement for high-quality, value-add work. I feel for the prospects who chose a solution that has now brought them into question with their customers.
Enter the Cheap. Fast. Painless. AI-Enabled Solution.
The solution that promises a SOC 2 in weeks — if not days — with hours or weeks of effort saved. Does it sound too good to be true? Does it benefit those who want to believe it? You bet.
The SOC 2 market has lost sight of the original intent of SOC 2 reports. The remainder of this piece is not about the well-documented troubles of any specific Silicon Valley startup, nor the GRC-tool-auditor combo that quietly rebranded as scrutiny mounted. It is a reminder of what SOC 2 is supposed to be, where it comes from, and why CPAs have an opportunity — right now — to bring back the value before this becomes an Enron-level scandal.
What SOC 2 Was Actually Built to Do
The System and Organization Controls framework was not designed by the AICPA as a marketing badge. It was built as an attestation framework, governed under AT-C Section 205, to provide independent, third-party assurance to user entities and their auditors about the controls at a service organization relevant to the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Read that again slowly. The report is for the customers of a service organization and the CPAs who audit those customers. It is designed to carry the weight of professional independence — the same weight that underpins every audit opinion, every attest engagement, and every piece of assurance work the accounting profession has built its public trust upon for over a century. It is not a sales tool. It is not a badge to slap on a landing page. It is not something that should be produced in 72 hours by an AI-enabled platform that has never spoken to a single person inside your organization.
When the AICPA built this framework, they assumed — reasonably — that the CPA signing the report would have no material financial relationship with the entity being examined. They assumed the auditor did not help design the controls they were opining on. They assumed independence, because without it, the report is not worth the paper it is printed on.
That assumption is now under siege.
The Ghost of Arthur Andersen: Why CPAs Should Know Better
A brief refresher on Enron is warranted, because those who do not learn from history are condemned to repeat it — and the parallels here are uncomfortable.
Enron Corporation was, at its peak, one of the largest and most celebrated companies in the United States — lauded by Fortune as "America's Most Innovative Company" for six consecutive years. Its auditor, Arthur Andersen, signed off on the financial statements year after year. The problem was that Enron was a fraud. Through a labyrinth of special purpose entities and aggressive accounting, Enron concealed billions in debt and inflated earnings on a scale that, when it unraveled in 2001, became the largest corporate bankruptcy in American history at that time. Over 20,000 employees lost their jobs. Shareholders lost tens of billions.
But Enron did not destroy Arthur Andersen. Arthur Andersen destroyed Arthur Andersen.
The investigation revealed that the audit relationship had been profoundly compromised. Arthur Andersen had become deeply financially entangled with Enron — not just as auditor, but as a lucrative consulting partner. The incentives were corrupted. The independence was theoretical at best. The result was not just the fall of a single firm. It was the Sarbanes-Oxley Act of 2002, the creation of the PCAOB, and a fundamental restructuring of how auditor independence is regulated in this country.
We are not yet at Enron. But the warning bell is ringing — and for every CPA, it should be telling you to act or find a new profession, because ours is at mortal risk.
The Line That Cannot Be Crossed: Signer vs. Stakeholder
Let me be precise, because clarity matters here.
There is nothing inherently wrong with a GRC platform that helps organizations build control frameworks. There is nothing inherently wrong with an audit firm that focuses on SOC 2 engagements. There is nothing inherently wrong with technology that accelerates evidence collection.
The line — the bright, unambiguous, non-negotiable line — is this: the CPA who signs a SOC 2 report cannot have a financial interest in the tool that designed and implemented the controls being opined upon.
This is not a gray area. The AICPA's Code of Professional Conduct under ET Section 1.200 is explicit that financial interests in an attest client create impairments to independence that cannot be managed away with disclosures or firewalls. When a CPA firm holds equity in a GRC platform, and that platform is used to design, implement, and manage the very controls the firm is then asked to independently attest to, the independence required for that attestation engagement does not exist. It is not diminished. It is absent.
There is also a management participation threat that is equally serious and often less discussed. Designing controls is a management responsibility. Implementing controls is a management responsibility. When the pathway to your SOC 2 runs exclusively through a platform in which the audit firm has ownership — a platform that builds your control environment and hands the evidence package directly to that same firm for signature — the auditor has effectively stepped behind the desk of management. They are not examining the controls. They are, in a meaningful sense, the controls.
The Opportunity in Front of Us
The market has demanded cheap, fast, and painless. Organizations, under pressure from sales cycles and competitive procurement, have treated SOC 2 like a speeding ticket — an inconvenient cost to be minimized. That demand created the supply. It created the race to the bottom that now has regulators and practitioners raising alarms.
But here is what I believe after two decades in this profession: the answer is not more regulation. It is CPAs choosing to act like CPAs — and for our profession to eradicate those who have chosen profit and greed over integrity and independence.
The profession has survived every major scandal — every Enron and every WorldCom — not because of enforcement alone, but because the overwhelming majority of practitioners took their independence obligations seriously. They walked away from work that compromised it. They priced engagements that reflected real effort and real judgment. They told clients, sometimes uncomfortably, that the report on their wall meant something — and that earning it required something.
That is the moment we are in again.
SOC 2 was built to carry weight. It is time we started treating it like it does.
Next in this series: The Hidden Cost of Check-The-Box Compliance — what cheap SOC 2 programs actually cost the startups, middle-market firms, and enterprises that rely on them.
Stay Informed, Stay Secure
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
