Understanding the importance of utilizing an independent firm like Auditwerx can have a big impact on how your organization chooses to meet compliance obligations. In certain cases, SOC 2®* tools may impact a firm’s independence when performing SOC 2® assessments.
How does that affect your organization? Let’s break down the importance of independence and maintaining professional standards when it comes to compliance assessments.
AICPA Code of Professional Conduct
All AICPA members must meet strict professional guidelines and maintain high ethical standards when performing their responsibilities. The AICPA Code of Professional Conduct outlines these obligations and provides additional guidance on the responsibilities of those in the profession to the public, to clients, and to colleagues.
At its core, the AICPA Code of Professional Conduct calls for members to maintain public confidence in their essential services and maintain high standards in the responsibility of public interest. Remaining independent is a key tenet in relation to compliance reporting.
Maintaining Independence Between Assessors and Tool Providers
When it comes to partnering with, or developing SOC 2®* tools, there are some specific instances where it may negatively impact the assessor’s ability to remain independent.
- If the SOC 2® tool provider promotes an assessor’s services through media channels, with or without paying a referral fee, providing a discount on the assessor’s fees if engaged to perform an evaluation.
- This could create a reasonable conflict of interest and undermine the reliability of the report that is delivered.
- Additionally, if an assessment firm pays a tool provider to refer users to the member, the member should disclose the referral fee in writing.
- If a SOC 2® tool provider and an assessor enter a business relationship, the assessor chooses to rely only on the SOC 2® tool for evidence gathering, merely signing off on the data provided by the tool.
- An assessor must still comply with all applicable standards, and their responsibilities do not change just because a tool is involved. The tool may not report data correctly or completely, necessitating the assessor to thoroughly review the applicable assessment standards with the service organization.
- Even if the service organization being assessed utilizes a tool or if the assessor partners with tools for evidence gathering, the assessor will still be responsible for:
- Determining the proper preconditions for an engagement,
- Understanding the service organization’s system and controls,
- Performing an independent risk assessment based on applicable TSC,
- Designing procedures for the appropriate risks,
- Obtaining sufficient evidence on the operating effectiveness and design of the controls in question,
- Issuing an appropriate opinion in regard to the SOC 2® report.
At Auditwerx, We Take Independence Seriously
Auditwerx has provided high-quality SOC* solutions for almost 20 years and operates in a manner that adheres to the professional standards of the AICPA. Firms who do not operate in a properly independent manner could compromise your compliance report, incurring additional time and fees to have it redone.
Whether your organization currently utilizes SOC* tools, or if you are new to the compliance landscape, the experienced team at Auditwerx can adapt to meet your business needs while maintaining appropriate professional standards. Contact us today.
