Information technology and software continue to expand rapidly, with much of that growth driven by service organizations – companies that provide specialized services to businesses once performed internally. 

For CPAs, this shift has increased reliance on outsourced service providers for data analytics, cloud hosting, and information security. It has also heightened responsibility for safeguarding company and client data. 

If your organization relies on service organizations, obtaining and reviewing their System and Organization Controls (SOC) 2 report can provide insight into their control environment and any areas of concern. If you are a service organization, clients likely expect you to undergo a SOC 2 examination. 

In the spring 2026 issue of NewsAccount, now available digitally, Esteban Rosas, CPA, CITP, senior manager with K Financial Audit and Advisory in Louisville, explores five control failures often found in service organizations’ SOC 2 reports:

1. Offboarding breakdowns that create security risks
2. Security awareness training without documentation
3. Vulnerability management that stops at detection
4. Vendor management gaps
5. Policies that don’t match reality

Fortunately, Rosas asserts, most of these issues are straightforward to correct with structure, ownership, and repeatable processes. Check out the article, “From Findings to Fixes: Addressing Common SOC 2 Control Failures,” on page 26 of the spring issue for practical solutions to address these failures.

Looking for an opportunity to connect with your COCPA colleagues to discuss technology, its impact on the accounting profession, and future trends? Learn more about the COCPA Technology Users Group.

COCPA members can earn free CPE credit for NewsAccount readership. Take advantage of the opportunity to earn free CPE while staying on top of the latest news from the profession. Click here to learn more and register.