« Are Your Employees Financially Fit? | Main | What is the Right Penalty to Combat Preparer Fraud? »

CPAs as Market Leaders for Reporting on Service Organization Controls

Service organization control mark

I want to make you aware of a great marketplace-driven opportunity for the CPA profession. Similar to what is being done in the tax and integrated reporting areas, the AICPA is initiating a comprehensive campaign to support CPAs as the premier choice for reporting on a service organization’s controls and to mark our guidance as the gold standard for such services.

Many of you likely are aware that Statement on Auditing Standards No. 70, Service Organizations, has been transformed to meet the needs of the evolving service organization marketplace. SAS 70’s guidance for service auditors reporting on controls at a service organization relevant to internal control over financial reporting of the service organization’s customers was moved to Statement on Standards for Attestation Engagement No. 16, Reporting on Controls at a Service Organization. Reporting on controls related to subject matter other than internal control over financial reporting (such as the security, availability or processing integrity of a system, or the confidentiality or privacy of the information processed by that system) became a new attestation engagement.

That new service, designed specifically to address the misapplication of SAS 70 which was intended to apply only to financial information, results in a comprehensive, detailed report called a SOC 2SM report. SOC stands for Service Organization Control, and a new framework of three SOC reports was developed last year. A SOC 1SM report results from an SSAE 16 engagement (which must be performed by CPAs); a SOC 3SM report results from a Trust Services engagement, which has existed for several years, and can be used without restriction allowing service organizations to use these reports for marketing purposes. Essentially, SOC 2SM and SOC 3SM engagements evaluate the same information but produce different types of reports.

By the way, the guidance that was in SAS 70 for user auditors – those performing financial statement audits of companies that outsource to service organizations including cloud computing providers – will become effective for year-end 2012 audits when the clarified auditing standards take effect.

Having dispensed with the technical aspects of the reports, I now want to focus on the broader opportunity and summarize the activities to help the profession seize it. I truly believe CPAs are the best suited professionals to provide these services to service organizations. First, SOC services provided by CPAs are, without a doubt, best-in-class. Second, audit, attest and assurance are part of a CPA’s DNA. Our education, the CPA Exam and experience requirements for licensing facilitate our knowledge and understanding of the underlying issues. Additionally, the AICPA supports the public interest by setting performance and reporting standards for these engagements; enforcing a Code of Conduct that provides for the independent, objective, competent performance of such services; and maintaining peer review standards to examine SOC engagements for firms that do this work. Non-CPA consulting firms are not held to such high standards.

The AICPA is taking a multi-pronged approach to facilitate CPAs’ success in this area:

  • Resources and CPE programs are being developed to help CPAs fully understand SOC engagements and how to perform and market them. Visit aicpa.org/SOC for more information and watch AICPA publications for announcements.
  • CPA firms will be provided with tools to help them educate the marketplace on SOC reports and promote their services, including guidelines on using the SOC logo designed for CPAs. Other information will address how to help a client decide which SOC engagement meets their needs and how the resulting reports should be used.
  • Direct outreach to the service organization community will boost marketplace awareness and acceptance of SOC 2SM engagements, and reinforce that CPAs are the premier professionals for reporting on service organization controls relevant to security, availability, processing integrity, confidentiality or privacy.
  • A marketing toolkit for service organizations will include information on using the SOC logo to show they have undergone a SOC engagement within the past 12 months, as well as a press release template to promote SOC 3 engagements. This effort should help end the “SAS 70 certified” proclamations that emerged and prevent similar erroneous statements regarding SOC 1SM, SOC 2SM or SOC 3SM engagements.  
  • Advocacy efforts will focus on a federal government program that requires certain agencies to obtain assurance on subjects covered by SOC 2SM reports.

SOC 2SM (and SOC 3SM) reports present a tremendous new market niche for practitioners. I encourage you to explore service organization reporting and see if it fits into your practice, or to take advantage of our information, resources and tools to expand your practice in this area. The AICPA is paving the way for CPAs to step in and be the marketplace leaders, but ultimately success rests with you. Go for it!  

Gregory J. Anton, CPA, Chairman, American Institute of CPAs.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily