SSAE No. 20 and 21 are now in effect, and new AICPA SOC 1® and SOC 2® guidance is on the horizon. Let’s take a look back to look forward at what these changes mean for both service auditors and service organizations.
A LOOK BACK –
The 2018 iteration of the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC) mapped to the 17 principles in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, the most widely adopted internal control framework nationally and internationally. The change was material for service organizations who were already System and Organization Controls (SOC) 2 reporters, requiring an extensive review of the expanded criteria, remapping and modifying existing controls, implementing new controls and identifying and remediating any control gaps. Service auditors were also greatly impacted as they worked in partnership with their clients to learn the new criteria, performed a “mapping” exercise to shift to the 2018 TSC framework, and modified and expanding test procedures to address control changes. The intended benefit of the new AICPA SOC 2 TSC was to provide management, customers, user entities, investors and prospective user entities greater confidence in an organization’s internal control environment to address today’s business environment and security, availability, confidentiality, processing integrity and/or privacy risks.
Not only did 2018 bring a new SOC 2 framework, it also was the year SSAE No. 18 became effective, impacting both service auditors and their clients. Several key concepts were introduced as requirements of the new attestation standards impacting all SOC examinations including: 1) Risk Assessments of the service organization and service auditor, 2) Information Produced by the Entity, 3) Complementary User Entity Controls (CUECs), 4) Complementary Sub-Service Organization Controls (CSOCs), 5) Monitoring of Sub-Service Organizations, and 6) Internal Audit Considerations.
A LOOK FORWARD –
The fall of 2022 brings changes in SOC in both AICPA attestation standards and AICPA SOC Guidance.
Attestation Standard Changes
SSAE No. 20 Amendments to the Description of the Concept of Materiality
The changes made by the AICPA to the concept of materiality are in response to the unique challenge presented by engagements on “other matters,” where materiality is qualitative versus quantitative in nature. For SOC, a misstatement may be referred to as a deviation, deficiency or exception, and considered to be material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by intended users based on the subject matter. The phrase “the judgment made” replaced the phrase “the decisions made”, as service auditors cannot determine what an individual report user may decide or take action on. Information presented in a SOC report by the service auditor allows report users to evaluate that information for their specific purposes.
Supporting the change, the AICPA issued white paper, “Materiality Considerations for Attestation Engagements Involving Aspects of Subject Matters That Cannot be Quantitatively Measured” to provide nonauthoritative guidance on how service auditors consider materiality in engagements involving aspects of subject matters that cannot be quantitatively measured and make professional judgments regarding materiality in such engagements.
SSAE No. 21 Direct Examination Engagements
SSAE No. 21 is now in effect for all SOC reports issued on or after June 15, 2022. The new standard added a new AT-C section, designated as AT-C section 206, Direct Examination Engagements, that has no impact on SOC. However, the Standard amended AT-C section 105, Concepts Common to All Attestation Engagements, and superseded AT-C section 205, Examination Engagements now Assertion-Based Examination Engagements, both impact SOC 1, 2 and 3 examinations and their reports. Service auditors should review the amendments and changes to 105 and 205 respectively to understand impacts to planning procedures and additional and required language to be added to the service auditor’s opinion in a SOC report regarding independence and ethical considerations.
Substantially, SSAE No. 21 maintains the traditional SOC examination engagement; however, the standard introduced and defined a new term, underlying subject matter, with underlying being the new addition. By AICPA definition, underlying subject matter is the phenomenon that is measured or evaluated by applying criteria, and subject matter information is the outcome of the measurement or evaluation of the underlying subject matter against the criteria. To translate this into SOC terminology, the underlying subject matter is what the service auditor opines on in a Type I SOC report: 1) the description is presented in accordance with the description criteria, 2) controls are suitably designed, and in a Type II report 3) are operating effectively. The subject matter information would be the opinion expressed as a result of evaluating the description, control design (Type I) and effectiveness (Type II) against the applicable criteria in a SOC 1 and applicable Trust Services Criteria in a SOC 2.
Why make all these changes to attestation standards other than to keep service auditors on their toes? The AICPA continues to update its Standards to conform with International Standards for Attestation Engagements (ISAE) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information terminology. Changing the single term “subject matter” to “underlying subject matter,” clarifies that in an examination engagement, the service auditor is required to be independent of the underlying subject matter and that a party other than the service auditor is responsible for the underlying subject matter (management).
A little history lesson…the AICPA issued the first attestation standards in the 1980s to provide guidance to auditors for performing engagements other than financial statement audits, those involving “other subject matters.”
It is anticipated that the AICPA will release updated implementation guidance for SOC 1 and SOC 2 at the end of August 2022. The AICPA has provided little detail on what we can expect to see in the updated guidance; however, based on SOC peer review results, white paper publications, FAQs and lessons learned from AICPA SOC School, my prediction is the following:
- A move away from hardcopy books to digital content, allowing the AICPA to be more agile in making future guidance updates.
- Updates to reflect SSAE No.’s 20 and 21.
- Considerations of service organizations using Governance, Risk Management , and Compliance (GRC) Tools as a subservice organization and service auditor independence.
- Clarifications on the risk assessment process for both service organizations and service auditors.
- Additional guidance on SOC 2 examinations that include additional criteria (“SOC2+”)
- Additional guidance to support the understanding of CUECs versus user entity responsibilities.
If you currently issue a SOC report, ensure your service auditors are informed of how the new attestation standards and pending AICPA SOC guidance changes impact your examination and subsequent report. If you are considering getting prepared for and completing a SOC examination, please reach out to our team of seasoned SOC professionals at the link below.
Whether you are an internal audit team who supports your service organization SOC examination(s), or an advisory firm seeking ways to improve, streamline or start a SOC reporting practice, our team of tenured professionals who possess SOC specific credentials, including AICPA SOC Peer Review Specialists, are here to help. Your training will be customized to suit your needs based on the experience and knowledge level of your team to tailor learning that supports your objectives.
Want to learn more about SOC? Visit our website here or contact our SOC service leader Shelby Nelson directly using our Contact Us feature!
About the Author
Shelby Nelson is a Partner in Frazier & Deeter’s Process, Risk, Governance (PRG) Practice, holds the AICPA’s CyberSOC and Advanced SOC certifications and has been the AICPA SOC School author and instructor since 2018. She created FD’s SOC School and SOC University programs, designed to immerse both beginner and advanced service auditors in the SOC framework and methodology at FD. In addition to being an AICPA SOC Peer Review Specialist, she is recognized as a SOC subject matter expert and a frequent speaker for professional organizations and client events around the globe.