What to Know – Recent Changes to SOC 1 Guidance

The recent updates to the SOC 1 reporting process come with a significant impact to many organizations. The American Institute of Certified Public Accountants’ (AICPA’s) Auditing Standards Board approved an updated release to the AICPA SOC 1 Guide, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®). If you currently have or will be working toward a SOC 1 report, it is essential to understand the impact of these recent updates to the SOC 1 reporting process. Identification of key reports, files or other outputs provided or made available to user entities’ relevant to their ICFR may take considerable effort. Close collaboration will be required between service organizations and service auditors to identify these, determine their relevance, identify and test the relevant controls, and include them in the SOC 1 report. Early planning will help your organization stay ahead of the curve when it comes to preparation and achieving compliance. 

The Guide has been developed by the AICPA Service Organizations Task Force for SOC 1 to assist practitioners engaged to examine and report on controls at a service organization that are likely to be relevant to user entities' internal control over financial reporting. The latest updates provide enhanced implementation guidance for auditors and users to bring clarity around several recent and emerging industry topics to promote reporting quality and consistency. 

Summary of Changes 

Available for use now, the AICPA updates for SOC 1 examinations are significant and may require additional time and attention from companies who currently have a SOC 1 report or are planning on working toward compliance. High level updates include: 

  • Incorporating new attestation standards (e.g., SSAE-20 to align the materiality concepts discussed in the attestation standards with the description of materiality used by the U.S. judicial system, the auditing standards of the PCAOB, the SEC, and FASB; and SSAE-21 adding new AT-C section 206 Direct Examination Engagements); 
  • Clarification that management's description of the service organization's system generally should include key outputs, such as reports, or files provided or made available to user entities if they are relevant to user entities' internal control over financial reporting (ICFR); 
  • Clarifies the limitations of the service auditor’s responsibilities to report negative information about carved out subservice organizations, since the service auditor is only required to determine whether the service organization’s controls designed to monitor services provided by the subservice organization are fairly presented and not whether they are suitability designed and operating effectively. Limitations exist since the description ordinarily does not include a control objective regarding monitoring of the subservice organization's activities, and additionally, the service organization’s monitoring controls are limited to those controls that the service organization has the ability to implement;
  • Guidance on evaluating the results of tests of controls that management performed on a sample of transactions (for example, a control that is designed to check the accuracy of manual processing for a selection of transactions).

Additional Updates 

The AICPA provided further guidance through additional illustrative examples to demonstrate application of the standards, including the following: 

  • The illustrative reports and management assertions were revised to emphasize that management of the service organization is responsible for its description of the service organization’s system and for its assertion;
  • Illustrative Type 1 SOC 1 service auditor’s report and management’s assertion have been added;
  • Additional and improved examples of CUECs and CSOCs;
  • Clarity on the suitability of control objectives and examples of suitable control objectives;
  • Illustrative examples to evaluate the completeness of control objectives for a particular service organization;
  • Examples of separate paragraphs that would be added to the service auditor's report for various scenarios encountered during testing of control operating effectiveness, for example, when controls were not operating effectively for a portion of the period under examination.

How We Can Help

Our Third Party Attestation Practice team is dedicated to providing high quality SOC attestation services and can help you: 

  • Understand expectations for a SOC 1 report; 
  • Evaluate your control environment; 
  • Identify any reporting gaps to determine necessary incremental controls and system description updates; 
  • Develop a customized SOC 1 reporting plan for the new requirements.

Backed by one of the world’s largest global networks, BDO tailors SOC services to meet our clients’ unique needs, allowing us to deliver them in the most efficient and cost-effective way possible.