We know that keeping up with the various compliance requirements can be demanding, especially if you don’t know where to start. Our advisors are equipped to meet you where you are on your compliance journey and can help you become more proficient in your approach to third-party reporting. Contact us to find out how we can help your business.
Published: January 10, 2024
Updated: January 10, 2024
Our colleagues at member firm BDO USA posted the original version of this article on June 12, 2023. You can also read it below.
The recent updates to the SOC 1 reporting process come with a significant impact to many organizations. The American Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board approved an updated release to the AICPA SOC 1 Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1).
If you currently have or will be working toward a SOC 1 report, it is essential to understand the impact of these recent updates to the SOC 1 reporting process. Identification of key reports, files or other outputs provided or made available to user entities’ relevant to their ICFR may take considerable effort. Close collaboration will be required between service organizations and service auditors to identify these, determine their relevance, identify and test the relevant controls, and include them in the SOC 1 report. Early planning will help your organization stay ahead of the curve when it comes to preparation and achieving compliance.
The guide has been developed by the AICPA Service Organizations Task Force for SOC 1 to assist practitioners engaged to examine and report on controls at a service organization that are likely to be relevant to user entities' internal control over financial reporting. The latest updates provide enhanced implementation guidance for auditors and users to bring clarity around several recent and emerging industry topics to promote reporting quality and consistency.
Summary of changes
Available for use now, the AICPA updates for SOC 1 examinations are significant and may require additional time and attention from companies who currently have a SOC 1 report or are planning on working toward compliance. High level updates include:
- Incorporating new attestation standards (e.g., SSAE-20 to align the materiality concepts discussed in the attestation standards with the description of materiality used by the U.S. judicial system, the auditing standards of the Public Company Accounting Oversight Board (PCAOB), the Securities and Exchange Commission (SEC), and Financial Accounting Standards Board (FASB); and SSAE-21 adding new AT-C section 206 Direct Examination Engagements).
- Clarification that management's description of the service organization's system generally should include key outputs, such as reports, or files provided or made available to user entities if they are relevant to user entities' internal control over financial reporting (ICFR).
- Clarifies the limitations of the service auditor’s responsibilities to report negative information about carved out subservice organizations, since the service auditor is only required to determine whether the service organization’s controls designed to monitor services provided by the subservice organization are fairly presented and not whether they are suitability designed and operating effectively. Limitations exist since the description ordinarily does not include a control objective regarding monitoring of the subservice organization's activities, and additionally, the service organization’s monitoring controls are limited to those controls that the service organization has the ability to implement.
- Guidance on evaluating the results of tests of controls that management performed on a sample of transactions (for example, a control that is designed to check the accuracy of manual processing for a selection of transactions).
Additional updates
The AICPA provided further guidance through additional illustrative examples to demonstrate application of the standards, including the following:
- The illustrative reports and management assertions were revised to emphasize that management of the service organization is responsible for its description of the service organization’s system and for its assertion.
- Illustrative Type 1 SOC 1 service auditor’s report and management’s assertion have been added.
- Additional and improved examples of complementary user entity controls (CUECs) and complementary subservice optimization controls (CSOCs).
- Clarity on the suitability of control objectives and examples of suitable control objectives.
- Illustrative examples to evaluate the completeness of control objectives for a particular service organization.
- Examples of separate paragraphs that would be added to the service auditor's report for various scenarios encountered during testing of control operating effectiveness, for example, when controls were not operating effectively for a portion of the period under examination.