Key Takeaways
- Assessor Responsibility Is Not Reduced: An organization using a SOC 2® tool does not eliminate or reduce the necessity for the compliance reviewer to take full responsibility for the collected evidence and final reporting. The reviewer must still ensure the data is complete and accurate according to professional standards.
- Reliance Requires Comprehensive Testing: Reviewers cannot simply rely solely on information provided by a SOC 2® tool. They must perform comprehensive testing to verify that the tool is operating correctly and that the information gathered is both complete and accurate.
- Independence is Critical: A firm that both develops and provides SOC 2® tools may create a self-review threat that compromises independence. If independence is not maintained, the final report may be rejected by stakeholders and require the assessment to be redone, incurring additional time and expense.
Updates on Recent Clarifications Provided by the AICPA
The AICPA has released new clarification on SOC* software tools designed to help service organizations efficiently prepare for SOC* assessments.
The rapid evolution of these tools in the marketplace has necessitated the release of information and clarification from the AICPA to ensure professional standards are met, due to the heighted risks associated with these tools and SOC* assessments.
Speak to a Compliance Specialist.
Considerations for Engagements Using SOC 2®* Tools
There are some key points your organization needs to be aware of when using a SOC* tool, or partnering with a SOC 2®* provider for your compliance assessment:
- If a service organization uses a SOC 2® tool, it does not eliminate or reduce the need for your assessor to take responsibility for the reporting and evidence collected according to professional standards. Your assessor will need to review the data for completeness and accuracy.
- Your assessor will not be able to rely solely on the information provided by a SOC 2® tool without comprehensive testing to determine whether the tool is operating correctly, and that the information gathered is complete and accurate. This means that you may incur additional costs when choosing to begin your compliance efforts by relying on tools.
- SOC 2® compliance tools are most often marketed to start up organizations who may not have the requisite knowledge about IT security practices to properly make decisions about the risks incurred or the controls needed to mitigate said risk. Relying on consultants working for the tool provider could cause unforeseen issues in the future.
Technology and SOC* Assessments
This isn’t to say that technology and software advances are not an important part of the assessment practice. The AICPA supports technological solutions as an area of opportunity for assessors like Auditwerx, however, it is important that your assessment firm remain free of any conflicts of interest when partnering with or developing tools to remain independent according to professional standards.
The Importance of Independence
Independence, as it relates to the organization performing your SOC 2® assessment, is extremely important in ensuring a true third-party opinion for your report. An entity that both develops and provides SOC 2® tools may create a self-review threat that cannot be properly mitigated. This could require that your compliance assessment be redone by an independent firm, adding additional time and expense.
Assessment firms like Auditwerx, submit to regular peer reviews in order to demonstrate our commitment to the professional standards of the AICPA. SOC* reports are a “must-select” during these reviews, meaning that the work performed will be examined during the peer review process. It is extremely important that an assessor maintain the proper professional standards during the reporting process.
Compliance reports are meant to build trust between your organization, key stakeholders, and current or future clients. If proper independence is not maintained, your report may not be accepted by current or future clients who uphold their data security as a priority, possibly losing out on future opportunities.
Auditwerx is an Independent Assessor
Auditwerx is proud to be an independent, third-party assessor. We uphold the professional values of the AICPA in order to provide your organization with a high-quality reporting experience.
While we are able to partner with tools your organization might use, our experienced team will perform a thorough review in order to ensure the proper information has been collected and is complete according to your business needs. Auditwerx does not have a business interest in SOC 2® tool providers, nor do we have an in-house tool that could impede an independent report.
If your organization is ready to begin the SOC* reporting process, start at the source with an independent assessor. Contact Auditwerx today.
FAQs
Why has the AICPA issued clarification regarding SOC 2® compliance tools?
The AICPA has necessitated clarification to ensure that professional standards are met and to address the heightened risks associated with tool usage in SOC examinations, given the rapid evolution of these tools.
What happens if a compliance reviewer relies only on a SOC 2® tool's output?
The reviewer cannot rely solely on the tool’s output. They must perform comprehensive testing to ensure the tool is operating correctly and the information is complete, otherwise the report may not be accepted.
What is a major risk for startup organizations that rely heavily on SOC 2® tools?
These tools are often marketed to startups that may lack the knowledge to properly assess necessary controls and risks, and relying on consultants working for the tool provider could cause unforeseen compliance issues later.
What is the potential consequence for an organization that uses a non-independent reporting firm?
If proper independence is not maintained, the report may not be accepted by current or future clients who prioritize data security, which could result in lost business opportunities and the need to redo the assessment.
About the Author
Auditwerx Team
Related Content
Gain Deeper Insights
