RECENT SEARCHES

    RECOMMENDED

    No Results Found

    What businesses need to know about SOC 2 developments

     

    Updated guidance and the rise of SOC tools merit attention

     

    When performed correctly, a System and Organization Controls (SOC) 2 engagement results in a report from a trusted audit firm that gives a service organization an opinion on the condition of its processes and controls that includes valuable information that can be shared with clients and prospects alike.

     

    As the SOC 2 landscape shifts a bit, it’s important for service providers to understand some of the more important nuances in this area.

     

    First, the AICPA, which sets the standards for SOC 2 engagements, updated its guide for practitioners performing these engagements in October 2022. While the updates are geared more toward auditors who perform SOC 2 engagements, a fuller understanding on the part of clients can prevent surprises and help the engagements proceed more smoothly.

     

    Second, the AICPA has warned of the misuse of certain tools created by non-CPA software developers to improve service organizations’ preparation for SOC 2 examinations. If these tools are used improperly, they may result in SOC 2 examinations and related reports that do not conform with professional standards, according to an AICPA alert issued in December 2022. There’s a risk that non-CPA firms that purport to be able to perform the examination using a tool will deliver reports that don’t adequately assess the condition of processes and controls.

    Icon: Request a meeting Icon: Request a meeting
    Request a meeting
    Authored alt text Icon submit RFP
    Submit RFP
     

     

     

     

    Updates to AICPA guide

     

    The revisions to the AICPA guide enhance the procedures that auditors perform when conducting SOC 2 examinations, and they are intended to improve clarity and processes.

     

    Titled SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the updated guide reflects lessons learned and insights gained by CPAs who perform these engagements.

     

    The revised guide:

    • Incorporates new changes to CPA attestation standards.
    • Provides guidance and clarity to service organizations regarding their objectives and how they relate to the service commitments and system requirements.
    • Presents the key differences between the “Confidentiality” and “Privacy” categories and when it’s appropriate for a service organization to report on controls included in them.
    • Provides greater detail for how an auditor should proceed when a service organization is presenting controls related to another framework outside the SOC 2 trust services criteria.
    • Provides guidance and clarity to considerations and identifications of subservice organizations versus vendors, and appropriate types of controls or disclosures related to the use of specialists by management.
    • Explains how management and the service auditor should account for controls that may have operated outside the specified period, and how to consider the relevance of controls that operated prior to the specified period.
    • Provides guidance on the service organization’s use of software applications and tools (i.e., SOC tools).
    • Added new points of focus and clarified existing points of focus to better support the criteria.

    As a result of these changes, service organizations should review their controls and disclosures in their SOC 2 reports to reevaluate suitability of design and operating effectiveness of the control environment.


     

    Focus on tools

     

    According to the AICPA’s alert, SOC 2 tools often are marketed by non-CPA firms to companies whose management doesn’t fully understand the service organization’s risks and control activities. The tools are supposedly designed to make SOC 2 engagements more efficient and less expensive for management.

     

    When auditors rely too heavily on the information provided by these tools, the engagement might not meet professional standards.

     

    “There’s a risk of overreliance on these tools that’s then passed on to a service organization’s users,” said Forrest Frazier, a Grant Thornton Partner who is Practice Leader for the firm’s Special Attestation Services.

     

    When non-CPA SOC 2 tool providers enter into business with CPA firms to provide the examination based on information generated by the tool, the resulting audit may be exposed to a self-review threat that causes the engagement to fall short of professional standards.

     

    The AICPA also has observed that some SOC 2 tool provider websites list audit providers that do not appear to be licensed CPA firms. Most state boards of accountancy require attestation engagements — including SOC engagements — to be performed by licensed CPA firms, according to the alert.

     

    “If somebody comes along and says they can do these engagements for a lot cheaper than licensed CPA firms but their work doesn’t meet professional standards, that’s a threat to the whole system,” Frazier said.

     

    The key takeaway for service organization management is that a non-CPA software vendor that promises a smooth, inexpensive examination might not deliver a report that meets professional standards. 

     

    Contacts:

     
    Headshot of Charles Curran Headshot of Charles Curran
    Charles Curran

    Principal, Strategic Assurance & SOC Services

    +1 212 624 5526
     
    Headshot of Forrest Frazier Headshot of Forrest Frazier
    Forrest W. Frazier

    Partner, Strategic Assurance and SOC Services Practice Leader

    +1 704 632 6801
     
    Headshot of Khadyja Johnson Headshot of Khadyja Johnson
    Khadyja Johnson

    Partner, Advisory - Governance risk and compliance

    +1 303 813 4017
     
     
     

    Our featured strategic assurance and SOC insights

     

    No Results Found. Please search again using different keywords and/or filters.