If you’ve perused Serenity magazine over the last several years, the advertisement for Kerry L. Shackelford on The Stone House pages would leave the impression that he is a suit-and-tie-wearing CPA working out of his Evergreen office every day. Kerry begs forgiveness and says the reality is, “I need to change that picture as I haven’t put on a suit for work since starting the firm five years ago.”
Kerry L. Shackelford, CPA LLC is a Colorado CPA firm that specializes in providing service organization control reports to clients. These reports are known in the industry as SOC reports and they are the deliverable of a “SOC audit.” This particularly distinguishes Kerry since, although he is a CPA, he does not provide the services most people attribute to the profession, like taxes, accounting or financial audits.
A service organization is one that outsources business and IT processes for their customers. “Service organizations that might need a SOC report are typically those that are obligated to secure customer data in their custody and protect it from unauthorized disclosure,” explains Kerry.
SOC reports were created by the American Institute of CPAs (AICPA) to enable independent auditors to provide third-party assurance to a client’s customers and prospects. SOC reports can only be issued by a CPA firm, and they are typically refreshed annually to provide ongoing assurance. The subject matter of a SOC report can be general IT controls, security controls or controls related to business risks or the need to comply with laws and regulations. There are two main types of SOC reports: the SOC 1, to report on internal controls over financial reporting, and the SOC 2, to report mainly on security controls over customer data.
SOC reporting is intricate and specific, which is why Kerry’s firm focuses on this niche. “Most clients that must get a SOC audit appreciate getting through the audit as quickly and efficiently as possible to minimize disruptions to business operations,” he says. “Toward that end, the firm extensively plans the audit evidence collection process to complete the audit field work in a one- to two-week period. This is driven by providing clients a listing of the controls being tested, the high-level test plan for each control, and the request for information for each control. This helps clients prepare and avoid surprises.”
Many CPA firms can provide SOC reports, but what makes Kerry’s firm stand out is that he personally served on the AICPA task forces that invented the SOC 2 report and criteria, which is the most popular and fastest growing of the SOC reports. Since he had a hand in “writing the book,” clients can count on his extensive knowledge and skill in finalizing their reports efficiently.
“I find it highly rewarding to make a living providing a service that I helped invent,” Kerry says. “And I am grateful to own and run my own successful firm. It is a privilege to work directly with clients to implement and maintain internal IT controls and security best practices—and to help them maintain the certifications they need to keep their customers happy and win new deals year over year.”
Kerry says an ideal client is a service organization—a technology company—that needs a SOC 2 report. And, as a longtime resident of Evergreen, where Kerry and his wife raised their three children, he is most happy to make business connections within the community. “About two years ago, I met a new tenant in the Stone House. He told me what he did for a living and asked me what I did. I said my CPA firm specialized in a type of audit that most people have never heard of—SOC audits. He leaned in and said he knew what a SOC audit was and that he owned a company that needed one! His company became a client and taught me not to assume that there are no potential clients among my Evergreen neighbors.”
To learn more about SOC reports and his firm, Kerry invites you to visit his website at klshackelfordcpa.com.