It can be a challenge to keep up with all the changes to compliance standards and reporting. It’s important that your auditor has the knowledge to help your service organization navigate the ever-evolving world of SOC compliance. Let’s take a look at two recent changes, SSAE No. 21 & SSAE No. 22.
SSAE No. 21 Key Points
SSAE No. 21 adds a new section (AT-C Section 206) to the reporting standards that provides your auditor with additional direction as it relates to direct examinations. Practitioners would be able to provide an examination opinion for measurements on both financial and non-financial topics related to relevant criteria.
This change is meant to help auditors be more flexible to the changing security landscape, and allow for assessment of evolving technologies, providing a third-party assessment of things that are very specific to your industry.
Along with the new guidance on direct examinations, SSAE No. 21 also adds clarification for specific terms in AT-C Section 105, Concepts Common to All Attestation Engagements.
This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation.
Learn more: AICPA SSAE No. 21 at a Glance
SSAE No. 22 Key Points
SSAE No. 22 is meant to add additional transparency to review engagements. Typically, during a review engagement, the assessor is provided with a limited assurance that specified controls meet necessary guidelines. This update does 3 main things:
- It offers clarity to practitioners on the purpose of a review engagement – that it is meant to obtain a limited assurance, not that it is necessary to complete analysis of the assertion.
- It promotes transparency by detailing the procedures completed in order to obtain the limited assurance.
- It allows an auditor to issue an adverse opinion in the event that the subject material is not communicated in accordance to the guidelines or there is insufficient evidence.
This amendment will be effective for reports dated on or after June 15, 2022. The AICPA has made the guidelines available for practitioners to prepare for implementation.
Learn more: AICPA SSAE No. 22 at a Glance
Choose an Experienced SOC Partner
When it comes to your SOC audit, it’s important to have a partner you can trust. With over 2,500 compliance reports completed, our IT audit team has the industry expertise you need to take your compliance goals from overwhelming to under control. Contact a specialist today to learn about our simple SOC process.
