SOC 1 and SOC 2 Examinations: Changes Coming for Service Organizations

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

SOC 1 and SOC 2 Examinations: Changes Coming for Service Organizations

Notable Changes for SOC 1 and SOC 2 Engagements

Service organizations that undergo annual SOC 1 or SOC 2 examinations will see a few changes to their engagements starting in June 2022. The changes are effective for reports dated on or after June 15, 2022.

In September 2020, the AICPA Auditing Standards Board (ASB) issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. With the issuance of this new standard, it amended certain procedures/requirements for auditors performing SOC 1 and SOC 2 examinations. The main differences that service organizations will see are as follows:

  • The independent audit report will now include a statement that indicates the auditor is required to be independent and to meet its other ethical responsibilities in accordance with relevant ethical requirements relating to the examination engagement.
  • Certain representations that the service organization management makes could be modified:
    • For a SOC 1, management could be asked to represent that it is responsible for determining the criteria are available to intended users and appropriate for the purpose of the engagement.
    • For a SOC 2, management could be asked to represent that it is responsible for selecting the trust services category(ies) and criteria to be included within the scope of the examination and determining that the criteria are available to intended users and appropriate for the purpose of the engagement.
  • The practitioner has the ability to add information to the independent audit report that goes beyond the minimum report elements.

SSAE No. 21 Applications for Auditors

In addition to the changes to SOC engagements, SSAE No. 21 provides an avenue for auditors to perform an examination engagement where they obtain reasonable assurance by measuring or evaluating underlying subject matter (an organization’s process, controls, etc.) against criteria (e.g., the standard used to evaluate the process, controls, etc.), and expressing an opinion on the results. Under these engagements,

  • The organization (client) is not required to provide a management assertion about whether the underlying subject matter is in accordance with the criteria, but the organization is required to acknowledge its responsibility for the processes, controls, etc. being evaluated.

Key Takeaways for Service Organizations

While the changes to SOC 1 and SOC 2 are not substantial to service organizations, its important to understand the changes and how they will impact your engagements.

For organizations that might be asked by a customer to evaluate a complex, non-financial subject matter (e.g., environmental impact) and not have the internal resources to perform the evaluation, the new SSAE No. 21 can provide a means for the organization to hire an independent auditor to perform that assessment. In essence, it gives businesses the ability to have independent auditors perform testing and issue opinions on just about any measurable business topic that stakeholders value.


Questions on this topic? Contact your Keiter Opportunity Advisor or Keiter’s Risk Advisory Services team. We can help.

Does your service organization need a System and Organization Controls (SOC) Report?

Additional Resources:

Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us