Updates on Recent Clarifications Provided by the AICPA:
The AICPA has released new clarification on SOC software tools designed to help service organizations efficiently prepare for SOC examinations.
The rapid evolution of these tools in the marketplace has necessitated the release of information and clarification from the AICPA to ensure professional standards are met, due to the heighted risks associated with these tools and SOC examinations.
Considerations for Engagements Using SOC 2 Tools
There are some key points your organization needs to be aware of when using a SOC tool, or partnering with a SOC 2 provider for your compliance assessment:
- If a service organization uses a SOC 2 tool, it does not eliminate or reduce the need for your CPA auditor to take responsibility for the reporting and evidence collected according to professional standards. Your CPA auditor will need to review the data for completeness and accuracy.
- Your CPA auditor will not be able to rely solely on the information provided by a SOC 2 tool without comprehensive testing to determine whether the tool is operating correctly, and that the information gathered is complete and accurate. This means that you may incur additional costs when choosing to begin your compliance efforts by relying on tools.
- SOC 2 compliance tools are most often marketed to start up organizations who may not have the requisite knowledge about IT security practices to properly make decisions about the risks incurred or the controls needed to mitigate said risk. Relying on consultants working for the tool provider could cause unforeseen issues in the future.
Technology and SOC Auditing
This isn’t to say that technology and software advances are not an important part of the audit practice. The AICPA supports technological solutions as an area of opportunity for auditors like Auditwerx, however, it is important that your audit firm remain free of any conflicts of interest when partnering with or developing tools to remain independent according to professional standards.
The Importance of Independence
Independence, as it relates to the organization performing your SOC 2 examination, is extremely important in ensuring a true third-party opinion for your report. An entity that both develops and provides SOC 2 tools may create a self-review threat that cannot be properly mitigated. This could require that your compliance audit be redone by an independent firm, adding additional time and expense.
CPA audit firms like Auditwerx, submit to regular peer reviews in order to demonstrate our commitment to the professional standards of the AICPA. SOC reports are a “must-select” during these reviews, meaning that the work performed will be examined during the peer review process. It is extremely important that a CPA firm maintain the proper professional standards during the reporting process.
Compliance reports are meant to build trust between your organization, key stakeholders, and current or future clients. If proper independence is not maintained, your report may not be accepted by current or future clients who uphold their data security as a priority, possibly losing out on future opportunities.
Auditwerx is an Independent, Accredited SOC Audit Firm
Auditwerx is proud to be an independent, third-party CPA firm. We uphold the professional values of the AICPA in order to provide your organization with a high-quality reporting experience.
While we are able to partner with tools your organization might use, our experienced team will perform a thorough review in order to ensure the proper information has been collected and is complete according to your business needs. Auditwerx does not have a business interest in SOC 2 tool providers, nor do we have an in-house tool that could impede an independent report.
If your organization is ready to begin the SOC reporting process, start at the source with an accredited CPA firm. Contact Auditwerx today.