The AICPA is the professional organization responsible for setting the audit standards for SOC Reporting and publishes a SOC 1 Guide, which is intended to help organizations better meet the information needs of their customers and business partners. The AICPA issues new Statements on Standards for Attestation Engagements (SSAEs) each year and also releases updated Guides around the new standards.
The AICPA published the latest SOC 1 Audit Guide, “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting,” in February 2023. Revisions in the latest version:
- Explained the identification and evaluation of subservice organizations with new examples.
- Clarified guidance around information required in management of the service organization’s description of its system.
- Provided new procedural guidance for SOC 1 Service Auditors on the procedures they perform to validate the accuracy and completeness of the information provided by service organizations.
Summary of Subservice Organizations Updates
- Removed the defined term “vendor” to simplify guidance: A service provider either is or is not a subservice organization, and there is no need to use another term for a service provider that is not a subservice organization.
- Revised the table of the eight commonly encountered service provider types to include a discussion of factors to consider when evaluating whether or not a service provided is relevant to user entities’ understanding of internal controls and a conclusion on whether or not the service provider would be considered a subservice organization.
- Clarified that management’s system description of the SOC 1 Report should address the controls in place to monitor any subservice organizations and that monitoring may include a combination of ongoing monitoring, g., regular reporting or meetings with the service provider, and separate reports showing controls were effective over a period of time, e.g., certifications or SOC Report from providers.
Impact: Increased scrutiny over what is considered a subservice organization and what the service organization is doing to monitor the activities of any subservice organizations.
Summary of Guidance Updates on Management’s Description of Its System
In this updated Guide, the AICPA revised its guidance on disclosing sensitive information around the information security posture. In summary, the level of detail within the System Description is intended to fulfill what the user auditor would need if the user entity were performing the outsourced service itself; however, the description does not need to be in such detail to compromise the service organization’s information security.
Impact: Level of detail included within a subservice organization’s description of the system does not have to be so extremely detailed as to potentially compromise information security.
Summary of Procedural Guidance Updates for Service Auditors
The SOC 1 Audit Guide includes clarifications and examples on required procedures. Auditors are required to evaluate whether or not information presented by the service organization during the examination is sufficiently reliable. The revised Guide provides examples of questions to ask that are useful to the Auditor for evaluation:
- What is the basis for the service organization’s comfort with the reliability of the information?
- Were any classes or ranges of data excluded from the information provided by the service organization? If so, were those exclusions appropriate?
- Does the information originate from a system already subject to the service auditor’s procedures or a system beyond the scope of the service auditor’s examination?
Auditors should ask service organizations about the scope of regulatory audits and Internal Audit and Internal Risk Management functions and review relevant assessments from those Internal Audit/Risk functions.
Impact: Increased scrutiny on population completeness and accuracy requiring additional verification procedures.
If you have questions or need assistance, please reach out to a professional at Forvis Mazars.