What to know about recent changes to SOC 1 guidance

Our colleagues at member firm BDO USA posted the original version of this article on June 12, 2023. You can also read it below.

The recent updates to the SOC 1 reporting process come with a significant impact to many organizations. The American Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board approved an updated release to the AICPA SOC 1 Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1).

If you currently have or will be working toward a SOC 1 report, it is essential to understand the impact of these recent updates to the SOC 1 reporting process. Identification of key reports, files or other outputs provided or made available to user entities’ relevant to their ICFR may take considerable effort. Close collaboration will be required between service organizations and service auditors to identify these, determine their relevance, identify and test the relevant controls, and include them in the SOC 1 report. Early planning will help your organization stay ahead of the curve when it comes to preparation and achieving compliance.

The guide has been developed by the AICPA Service Organizations Task Force for SOC 1 to assist practitioners engaged to examine and report on controls at a service organization that are likely to be relevant to user entities' internal control over financial reporting. The latest updates provide enhanced implementation guidance for auditors and users to bring clarity around several recent and emerging industry topics to promote reporting quality and consistency.

Summary of changes

Available for use now, the AICPA updates for SOC 1 examinations are significant and may require additional time and attention from companies who currently have a SOC 1 report or are planning on working toward compliance. High level updates include:

• Incorporating new attestation standards (e.g., SSAE-20 to align the materiality concepts discussed in the attestation standards with the description of materiality used by the U.S. judicial system, the auditing standards of the Public Company Accounting Oversight Board (PCAOB), the Securities and Exchange Commission (SEC), and Financial Accounting Standards Board (FASB); and SSAE-21 adding new AT-C section 206 Direct Examination Engagements).  
• Clarification that management's description of the service organization's system generally should include key outputs, such as reports, or files provided or made available to user entities if they are relevant to user entities' internal control over financial reporting (ICFR).
• Clarifies the limitations of the service auditor’s responsibilities to report negative information about carved out subservice organizations, since the service auditor is only required to determine whether the service organization’s controls designed to monitor services provided by the subservice organization are fairly presented and not whether they are suitability designed and operating effectively. Limitations exist since the description ordinarily does not include a control objective regarding monitoring of the subservice organization's activities, and additionally, the service organization’s monitoring controls are limited to those controls that the service organization has the ability to implement.
• Guidance on evaluating the results of tests of controls that management performed on a sample of transactions (for example, a control that is designed to check the accuracy of manual processing for a selection of transactions).