« Does Your Organization Invest in its Employees’ Training and Skills Development? | Main | FATCA: Move Over FFIs, Here Come the NFFEs »

4 Things to Know About Performing and Reporting on SOC Engagements

Service-organization-control-reports-wordleSo, have you started doing Service Organization Control engagements at your firm yet? You’ll recall in my last blog post that jumping into this niche area is a great way to engage existing clients and new clients in an emerging market.

The AICPA has been fielding a number of questions regarding performing and reporting on SOC 1SM, SOC 2 SM and SOC 3 SM engagements. Here are four of the key queries and their answers to help you and your firm move forward in starting a SOC practice:

Q: An auditor is in the process of planning an audit for a client and determines that significant accounting and financial reporting processes and controls are performed by an outside CPA firm. What is the auditor’s responsibility with respect to the functions performed by the other CPA firm?

A: Paragraph .01 of AU section 314, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement(AICPA, Professional Standards), states that the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risks of material misstatements of the financial statements. Therefore, the auditor’s responsibility is the same regardless of whether the client designs and operates its own accounting processes and controls or whether those processes and controls are outsourced to a third party.

Assuming that the other CPA firm has not undergone a type 1 or type 2 service auditor’s examination and, therefore, cannot provide user entities with such a report, the auditor may obtain the necessary understanding by visiting the other CPA firm’s office where the information is processed to understand how the processes and controls have been designed, and whether those controls have been implemented.

If the auditor intends to rely on any of the controls performed by the other CPA firm, then those controls would need to be tested to determine if they are operating effectively, just as they would if the controls had been implemented by the client. 

Q: If an auditor performs an SSAE No. 16 engagement for a service organization and also audits that service organization’s financial statements, when auditing the service organization’s financial statements, will the auditor still need to obtain a sufficient understanding of the service organization and its environment, including its internal control, sufficient to assess the risk of material misstatement and design audit procedures?

A: In an SSAE No. 16 engagement, the service auditor focuses on controls at the service organization that are relevant to the user entities’ internal control over financial reporting, rather than controls at the service organization that are relevant to the service organization’s ICFR. Some of the controls included in the service organization’s description of its system may be relevant to the service organization’s ICFR, but because controls evaluated and tested for the purposes of an SSAE No. 16 engagement are not necessarily controls that affect the service organization’s financial reporting, the auditor of the service organization’s financial statements would still need to obtain an understanding of the service organization’s internal control for the purpose of the audit.

Q: Will entities now become "SSAE 16 certified" or “SOC certified”?

A: No. A popular misconception about SAS No. 70, Service Organizations (AICPA, Professional Standards, AU sec. 324), is that a service organization becomes "certified" as SAS No. 70 compliant after undergoing a type 1 or type 2 service auditor’s engagement. No such certification exists under AU section 324 nor does it exist under AT section 801. An SSAE No. 16 report (as with a SAS No. 70 report) is primarily an auditor-to-auditor communication, the purpose of which is to provide user auditors with information about controls at a service organization that are relevant to the user entities’ ICFR.

Q: How can my firm market its services related to providing SOC1, SOC 2, or SOC 3 engagements? Can service organizations promote having undergone a SOC1, SOC 2, or SOC 3 engagement through their websites and marketing materials?

A: SOC logos are available for use by (a) CPAs for marketing and promoting SOC services and (b) service organizations that have undergone a SOC 1, SOC 2, or SOC 3 engagement within the prior 12 months. These logos are designed to make the public aware of these SOC services and do not offer or represent assurance that an organization obtained an unqualified (or clean) opinion. For additional information about logos, visit the AICPA’s SOC Web page. In addition, CPAs can find tools and resources for marketing their firm’s SOC services in the AICPA’s SOC Toolkit for Firms. Service organizations can take advantage of marketing materials as well through the AICPA’s SOC Toolkit for Service Organizations.

In addition, a seal is available only for SOC 3 engagements. A SOC 3 SysTrust for Service Organization Seal may be issued and displayed on a service organization's website. All practitioners who wish to provide this registered seal must be licensed by the Canadian Institute of Chartered Accountants. Typically the seal is linked to the report issued by the practitioner. It is important to note that a practitioner can perform a SOC 3 engagement and issue a SOC 3 report without issuing a SOC 3 seal. In such cases the practitioner does not need to be licensed by the CICA. The license is only for the issuance of a seal.

For more information on SOC engagements, visit the AICPA’s Service Organization Control reports webpage on AICPA.org. For more frequently asked questions regarding SOC reports, see these two helpful Q&A documents:  SOC 1 Q&As and SOC2 Q&As. 

Amy Pawlicki, Director - Business Reporting, Assurance and Advisory Services and XBRL, American Institute of CPAs. Amy staffs the AICPA Assurance Services Executive Committee, is responsible for building awareness and understanding among the AICPA membership of the eXtensible Business Reporting Language and coordinates AICPA activities related to Integrated Reporting and Sustainability, including collaboration with other organizations around the world that are dedicated to improving the quality and transparency of business reporting. 


Comments are moderated. Please review our Comment Policy before posting.
comments powered by Disqus


Subscribe in a reader

Enter your Email:

CPA Letter Daily