Catch this episode on Apple, Spotify, Amazon, or YouTube.
In this episode of GRC Uncensored, hosts Troy Fine and Elliot Volkman sit down with Jeff Cook, a 20-year GRC veteran and principal at Fortum (and host of Business Birdies), to unravel one of the more opaque corners of compliance: who oversees the auditors?
With his trademark candor and deep knowledge of the field, Jeff unpacks the nuances of peer review, the role of the AICPA, and the collective responsibility the market holds in ensuring audit quality—especially when it comes to SOC 2 reports.
Understanding Peer Review: Who’s Really in Charge?
One of the first misconceptions Jeff clears up is about the authority behind peer reviews.
“There’s a misconception that [peer review] is totally governed and run by the AICPA,” Jeff explains. “But ultimately, a CPA firm is registered with a state board of accountancy. That’s who can grant or revoke a license.”
In short, while the AICPA facilitates peer reviews through its programs, actual enforcement falls to the state boards. CPA firms can even pursue peer review paths outside the AICPA entirely, depending on their state requirements.
Enhanced Oversight: Watching the Watchers
Peer review isn’t the only mechanism in place. Jeff introduces the concept of enhanced oversight, a kind of meta-review process where reviewers themselves get reviewed.
“Even if you pass a peer review, your firm may get selected for enhanced oversight,” he says. “They’re going to take a deeper look—not only at your work, but at the peer reviewer’s work too.”
While it’s not yet widely understood or visible, Jeff hints at growing momentum behind this and other mechanisms being explored to raise the bar on quality.
The Market’s Role: It’s Time to Speak Up
Jeff issues a clear challenge to the consumers of SOC 2 reports—particularly vendor risk management teams—to take a more active role in shaping quality.
“We need to figure out where these poor-quality reports are and try to improve the rising tide so that all the ships can rise,” he urges.
To help the market do its part, Jeff and others are developing a SOC 2 report checklist and a companion video to help users quickly assess critical elements of reports.
Is the System Built for Financial Audits Holding Us Back?
Throughout the episode, Jeff and Troy return to a central tension: SOC 2 isn’t a financial audit—but the oversight structures in place were designed for financial auditing.
“Is the current way peer review is done really the right format for what SOC 2 is?” Jeff asks. “This is a completely different industry.”
From outdated standards to vague quality control requirements, Jeff points out that the system may not be adequately equipped for the speed and specificity required in cybersecurity and cloud compliance.
Grading Firms: A Radical (but Necessary) Idea
What if firms were graded on the quality of their SOC 2 reports?
Jeff floats an idea that’s both bold and practical: sampling reports and assigning firms a quality rating.
“I’m not saying disclose client names or reports, but imagine if users could see that a firm was an A, B, or C firm. That would help buyers make smarter decisions.”
While such a system doesn’t yet exist, it’s an example of the kind of outside-the-box thinking needed to restore trust in an ecosystem flooded with variable-quality audits.
The Path Forward: Moving Faster, Together
Throughout the discussion, Jeff emphasizes two imperatives: market buy-in and speed.
“The industry moves so quick… If something takes two years to implement, it’s already too late.”
From aligning standards to creating more uniform report formats, to potentially leveraging AI for report analysis, Jeff envisions a future where both the market and oversight bodies move faster and smarter—together.
Share this post