SOC Engagements: How to Get in the Game
As with so many issues related to the accounting profession, opportunities to engage new clients or re-engage existing clients abound when standards are updated or changed. Such is the case with Service Organization Control Reports SM. The guidance for service auditors in the old Statement on Auditing Standards No. 70, or SAS 70, as it was known, was replaced effective June 15, 2011, by Statement of Standards for Attestation Engagement No. 16, which can give your firm and its clients a new set of standards to meet user needs.
If you haven’t already looked into this growing market for CPA services, here are some tips on how you can start a SOC practice:
- Educate your staff surrounding the AICPA standards. Help your staff understand how various clients—or their service organization vendors—can benefit from SOC 1SM, SOC 2 SM or SOC 3 SM reports.
- Make a plan to communicate to and convert your SAS 70 clients to SOC engagements. Now that SAS 70 reports have evolved into SOC 1 reports, you can inform SAS 70 clients on the benefits of utilizing or providing SOC 1 reports to stakeholders.
- Determine which SOC report (1 or 2) is appropriate for which clients. Conduct readiness reviews and GAP analysis to gain a better understanding of client needs.
- Capitalize on SOC 1 (SSAE 16) clients. SOC 2 reports, which cover controls over subject matter other than financial information, might be a better fit or an additional service for clients asking for SOC 1 engagement. Be sure to offer the SOC 2 option when appropriate.
With virtually no marketing, Gina Pruitt, CPA, director of information systems assurance and consulting services, has been able to turn SOC engagements into a solid niche practice area for her firm, KraftCPAs PLLC in Nashville. “We have been able to provide both SOC 1 and SOC 2 reports to a number of clients,” said Pruitt. “Our reputation is building, and clients’ word-of-mouth has been a very effective way for us to build our practice.”
To help you navigate this emerging area, establish a niche practice and help your clients, prospects and service organizations understand the benefits of SOC engagements, the AICPA has created a number of resources and free toolkit and marketing materials for firms, plus a free toolkit of resources for service organizations. Visit aicpa.org/SOC for more information.
Amy Pawlicki, Director - Business Reporting, Assurance and Advisory Services and XBRL, American Institute of CPAs. Amy staffs the AICPA Assurance Services Executive Committee, is responsible for building awareness and understanding among the AICPA membership of the eXtensible Business Reporting Language and coordinates AICPA activities related to Integrated Reporting and Sustainability, including collaboration with other organizations around the world that are dedicated to improving the quality and transparency of business reporting.
Digital program code image via Shutterstock.