SOC 1 and SOC 2 Examinations: Changes Coming for Service Organizations

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

SOC 1 and SOC 2 Examinations: Changes Coming for Service Organizations

Notable Changes for SOC 1 and SOC 2 Engagements

Service organizations that undergo annual SOC 1 or SOC 2 examinations will see a few changes to their engagements starting in June 2022. The changes are effective for reports dated on or after June 15, 2022.

In September 2020, the AICPA Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. With the issuance of this new standard, it amended certain procedures/requirements for auditors performing SOC 1 and SOC 2 examinations. The main differences that service organizations will see are as follows:

  • The independent audit report will now include a statement that indicates the auditor is required to be independent and to meet its other ethical responsibilities in accordance with relevant ethical requirements relating to the examination engagement.
  • Certain representations that the service organization management makes could be modified:
    • For a SOC 1, management could be asked to represent that it is responsible for determining the criteria are available to intended users and appropriate for the purpose of the engagement.
    • For a SOC 2, management could be asked to represent that it is responsible for selecting the trust services category(ies) and criteria to be included within the scope of the examination and determining that the criteria are available to intended users and appropriate for the purpose of the engagement.
  • The practitioner has the ability to add information to the independent audit report that goes beyond the minimum report elements.

SSAE No. 21 Applications for Auditors

In addition to the changes to SOC engagements, SSAE No. 21 provides an avenue for auditors to perform an examination engagement where they obtain reasonable assurance by measuring or evaluating underlying subject matter (an organization’s process, controls, etc.) against criteria (e.g., the standard used to evaluate the process, controls, etc.), and expressing an opinion on the results. Under these engagements,

  • The organization (client) is not required to provide a management assertion about whether the underlying subject matter is in accordance with the criteria, but the organization is required to acknowledge its responsibility for the processes, controls, etc. being evaluated.

Key Takeaways for Service Organizations

While the changes to SOC 1 and SOC 2 are not substantial to service organizations, its important to understand the changes and how they will impact your engagements.

For organizations that might be asked by a customer to evaluate a complex, non-financial subject matter (e.g., environmental impact) and not have the internal resources to perform the evaluation, the new SSAE No. 21 can provide a means for the organization to hire an independent auditor to perform that assessment. In essence, it gives businesses the ability to have independent auditors perform testing and issue opinions on just about any measurable business topic that stakeholders value.


Questions on this topic? Contact your Keiter Opportunity Advisor or Keiter’s Risk Advisory Services team. We can help.

Additional Resources:

Share this Insight:

About the Author


Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us