Updates on Recent Clarifications Provided by the AICPA:
The AICPA has released new clarification on SOC* software tools designed to help service organizations efficiently prepare for SOC* assessments.
The rapid evolution of these tools in the marketplace has necessitated the release of information and clarification from the AICPA to ensure professional standards are met, due to the heighted risks associated with these tools and SOC* assessments.
Considerations for Engagements Using SOC 2®* Tools
There are some key points your organization needs to be aware of when using a SOC* tool, or partnering with a SOC 2®* provider for your compliance assessment:
- If a service organization uses a SOC 2® tool, it does not eliminate or reduce the need for your assessor to take responsibility for the reporting and evidence collected according to professional standards. Your assessor will need to review the data for completeness and accuracy.
- Your assessor will not be able to rely solely on the information provided by a SOC 2® tool without comprehensive testing to determine whether the tool is operating correctly, and that the information gathered is complete and accurate. This means that you may incur additional costs when choosing to begin your compliance efforts by relying on tools.
- SOC 2® compliance tools are most often marketed to start up organizations who may not have the requisite knowledge about IT security practices to properly make decisions about the risks incurred or the controls needed to mitigate said risk. Relying on consultants working for the tool provider could cause unforeseen issues in the future.
Technology and SOC* Assessments
This isn’t to say that technology and software advances are not an important part of the assessment practice. The AICPA supports technological solutions as an area of opportunity for assessors like Auditwerx, however, it is important that your assessment firm remain free of any conflicts of interest when partnering with or developing tools to remain independent according to professional standards.
The Importance of Independence
Independence, as it relates to the organization performing your SOC 2® assessment, is extremely important in ensuring a true third-party opinion for your report. An entity that both develops and provides SOC 2® tools may create a self-review threat that cannot be properly mitigated. This could require that your compliance assessment be redone by an independent firm, adding additional time and expense.
Assessment firms like Auditwerx, submit to regular peer reviews in order to demonstrate our commitment to the professional standards of the AICPA. SOC* reports are a “must-select” during these reviews, meaning that the work performed will be examined during the peer review process. It is extremely important that an assessor maintain the proper professional standards during the reporting process.
Compliance reports are meant to build trust between your organization, key stakeholders, and current or future clients. If proper independence is not maintained, your report may not be accepted by current or future clients who uphold their data security as a priority, possibly losing out on future opportunities.
Auditwerx is an Independent Assessor
Auditwerx is proud to be an independent, third-party assessor. We uphold the professional values of the AICPA in order to provide your organization with a high-quality reporting experience.
While we are able to partner with tools your organization might use, our experienced team will perform a thorough review in order to ensure the proper information has been collected and is complete according to your business needs. Auditwerx does not have a business interest in SOC 2® tool providers, nor do we have an in-house tool that could impede an independent report.
If your organization is ready to begin the SOC* reporting process, start at the source with an independent assessor. Contact Auditwerx today.
