Service organization management and the service auditor each have specific responsibilities in a SOC 2 examination. This blog describes the service auditor’s responsibilities, including the preconditions of engagement acceptance and the importance of understanding the terms of the engagement with management.
If you are a service organization looking for a new service auditor, client acceptance requirements are an area to understand prior to selecting your new service auditor. Client acceptance is a critical step in any attest engagement, and the SOC examination is no different. Client acceptance and Client continuance often happen behind the scenes and are typically not impactful to the Service organization. Some service auditors may consider client acceptance as a box that needs to be checked to move on to the juicy parts of the SOC examination, however, it is not an area to be taken lightly. If inappropriate client acceptance procedures are performed, it can be detrimental to the Service Auditor performing the SOC examination, and also detrimental to the Service organization.
If client acceptance procedures are lacking, the service auditor may be exposed to fraudulent acts at the service organization or potentially an independence issue. If this happens, the report delivered will hold very little value to the users, and the reputation and future of the service auditor may be in jeopardy. Before accepting an engagement to audit a new Service organization, the service auditor must perform their due diligence around the client acceptance process, anticipate acceptance issues, address the client risk, and perform risk acceptance procedures.
What is the Client Acceptance Process?
Prior to accepting a SOC 2 examination, AT-C section 105, Concepts Common to All Attestation Engagements requires the service auditor to determine that certain preconditions are met. Those preconditions require the service auditor to determine that the service organization meets certain ethical and competency requirements.
The AICPA Statements on Quality Control Standards (SQCS) direct and require CPA firms to establish policies for the acceptance (and continuance) of client relationships and engagements. The SQCS discusses that regardless of the CPA firms, there needs to be an acceptance process established. The level of efforts around client acceptance may vary from firm to firm, and many firms use a checklist to guide their process.
What are Some of the Considerations For Client Acceptance in a SOC Audit?
The AICPA provides a commonly used client acceptance tool that may be utilized to evaluate service organizations that a service auditor is considering bringing into their portfolio. This spreadsheet includes key points to consider before accepting an engagement with a new client. The spreadsheet can assist to identify acceptance issues before they happen. The document assists to discover client risks that may not have been considered, and document the service auditor’s procedures to determine if they are capable of risk acceptance. The AICPA client acceptance standards and AICPA client acceptance evaluation tool assists service auditors to evaluate new service organizations. It also helps service organizations to understand what AICPA client acceptance factors may look like.
What are the Major Factors that should be considered before accepting the client?
AICPA guidance is clear on the major factors that should be considered before accepting a new client. During client acceptance, the service auditor is responsible for a number of different factors.
Client acceptance is a big decision! The service auditor alone must determine whether to accept (or continue) an engagement for a service organization. In order to make this decision, the service auditor needs to consider guidance. AICPA guidance states that the service auditor needs to determine whether the “preconditions” for accepting an examination have been met (paragraphs .24–.25 of AT-C section 105).
These preconditions include:
- Independence: The service auditor must be independent in accordance with the AICPA Code of Professional Conduct.
Independence, as stated in the AICPA Code of Professional Conduct, is required for examinations that report on controls at a service organization. The independence assessment process addresses matters of scope of services, fee arrangements, firm and individual financial relationships, firm business relationships, and alumni and family relationships with the service organization and its personnel.
When performing engagements in which independence is required, the service auditor needs to be independent with each responsible party as defined in the following three SOC applicable AICPA standards.
- The “Independence Rule” of the AICPA Code of Professional Conduct establishes independence requirements for attestation engagements.
- The “Independence Standards for Engagements Performed in Accordance with Statements on Standards for Attestation Engagements” subtopic of the “Independence Rule” establishes special independence requirements for a service auditor who provides services under the attestation standards.
- Lastly, the “Conceptual Framework Approach” subtopic of the “Independence Rule” discusses threats to independence not specifically detailed elsewhere. The “Independence Rule” is followed by interpretations of the rule that assist the service auditor in assessing independence.
Keep in mind that for this step to analyze independence, the service auditor does not need to be independent of the user entities of the service organization. A consideration point, however, is that if the service organization that the service auditor is performing client acceptance upon uses a subservice organization, and management elects to use the inclusive method in their report, then that subservice organization management is also a responsible party. Therefore, the service auditor should also be independent of the subservice organization. With this in mind, if a service auditor is determined to NOT be independent, they should decline the engagement.
Additional pre-conditions required by the AICPA are as follows:
- The service auditor should determine that the service organization management is accepting the responsibility for the preparation of the description of the service organization’s system. This description needs to be in accordance with the description criteria and the suitability of design of controls and the operating effectiveness of controls to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved.
- The service auditor should determine that the subject matter of the SOC examination is appropriate.
- The service auditor should determine the criteria used to prepare and evaluate the subject matters that are both suitable and available to users of the report.
- The service auditor should determine that they will be able to obtain the evidence needed to arrive at his or her opinion on the description and the suitability of design of controls, and, in a type 2 examination, the operating effectiveness of controls. Further, the service auditor will need to determine that they will have access to all information relevant to the measurement, evaluation, or disclosure of the subject matter.
When these preconditions are met, the service auditor should continue with their client acceptance protocols. Within the client acceptance protocols, consideration should be made to consider paragraph .27 of QC section 10, A Firm’s System of Quality Control, which states that the service auditor should “establish policies and procedures for the acceptance and continuance of client relationships and specific engagements.”
These policies should be designed to provide reasonable assurance that the service auditor will undertake or continue relationships and engagements only when they are competent to perform the examination and have the capabilities. This includes the service auditors’ own time and resources, if they don’t have adequate staffing to support the new client engagement, then they should decline and not accept the engagement. The service auditor needs to determine they can comply with legal and ethical requirements, and has determined the integrity of the client. The service auditor should not have any information that may lead them to believe that the client is lacking integrity.
Integrity is a very large factor in deciding to accept a client. The quality control requirements for competence and ethical behavior are reiterated in paragraph .27 of AT-C section 105, which states that the service auditor should accept or continue a SOC examination only when the service auditor “has no reason to believe that relevant ethical requirements, including independence, will not be satisfied.”
Quality control procedures should include consideration of the integrity and reputation of the service organization management and significant shareholders or principal owners to determine whether the service auditor’s reputation is likely to suffer by association. Generally, the service auditor will accept or continue a client relationship only after he or she has considered the integrity of service organization management, significant shareholders, or principal owners. Based on these considerations, if there is no information that alludes to an auditor questioning the service organization’s integrity, then the service auditor could conclude that it is unlikely that working with that client would expose the service auditor to undue risk.
Other consideration factors during Engagement acceptance that the Service auditor should conclude upon include:
- The service auditor needs to agree on the terms of the engagement with service organization management, including establishing an understanding of the responsibilities of management and the service auditor.
- The service auditor needs to reach an understanding with management regarding their willingness and ability to provide a written assertion at the conclusion of the examination
- The service auditor needs to establish an overall strategy for the examination that sets the “scope, timing, and direction of the engagement and guides the development of the engagement plan”, including the consideration of materiality and the identification of the risks of material misstatement.
- The service auditor needs to perform procedures to assess the risk of material misstatement, including obtaining an understanding of the service organization’s system and how the system controls were designed, implemented, and operated “to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved based on the applicable trust services criteria.”
When Should a Client Acceptance Form be Completed?
Timing is critical when performing client acceptance procedures. Typically, the form and/or process should be completed prior to sending an engagement letter out to the prospective client. Client continuance should be performed prior to re-engaging with the existing client for the next period cycle of testing. A service auditor should determine the best method for their firm to document and memorialize client acceptance and continuance.
The AICPA supplied checklist is one option or a custom-created client acceptance form is another acceptable way to do this. Service auditors should develop a consistent acceptance process they can apply. The service auditors should memorialize the approvals for client acceptance criteria and the evaluation process for all the client acceptance factors.
Consistent documentation for client acceptance and continuance and approaches should be taken by service auditor firms. Common client acceptance procedures sometimes include the following:
- Understanding any changes in ownership, management, and those charged with governance.
- Assess management’s experience in their roles and knowledge, credentials.
- Assess management’s appreciation of internal control.
- Assess how management accepts their responsibilities that are applicable to the SOC report.
- Obtain referrals and consider speaking with the client’s other professional advisers.
- Obtaining background checks on key personnel.
- Perform information gathering searches on the internet focusing on the client and key members of client management. Specifically inspect for public records for pending or past lawsuits, understanding the client’s history to sue its professional advisers.
- If there was a prior CPA firm, understand why the client left or fired that firm, and how often in the past the client has changed service providers.
- If there was a prior CPA firm, requesting to speak with the prior CPA. If the change was on good terms, the prospective client should not hesitate.
- Perform a credit check and determine any patterns related to the client’s ability to pay invoices timely.
- Review the client’s public records, including financial statements (if available); if there were any delays in issuance or restatements, understand the root cause with the client.
- If available, review previous tax returns, and recent tax return audit results.
- Never underestimate the importance of that gut feeling!
Is There any Condition Why An Auditor May Not Wish to Continue a Relationship with an Existing Client?
A risk acceptance strategy by a service auditor is critical in the Client acceptance and Client continuance processes. There may be conditions where a CPA firm may determine that a service organization presents too much risk to start or continue a relationship providing their SOC examination compliance report.
Conditions that may lead a service auditor to reject a new client or end an existing client relationship may include:
- Independence issues.
- Integrity issues.
- Cultural differences that cannot be overcome.
- Fraud with leadership at a service organization.
- Financial Hardship – Lack of previous payment (existing client).
- Difficulty in obtaining required documentation from an existing client to support the engagement procedures.
- Mergers by the client that impact independence or scope.
- Lack of resources or capacity at the service auditor firm.
- Change in scope of services covered.
- Service organization Industry deemed high risk for service auditor’s risk tolerance.
- Lack of service auditor expertise on emerging technologies utilized at service organizations.
Although ending a relationship or declining a new client is never an easy thing to do. The right decisions must be made based on the facts that support them. In the long run, making the decision to end the relationship will likely save a lot of angst in the end. The last thing the service auditor or service organization wants to end up with is a qualified or disclaimed SOC report. A service auditor’s responsibility is to serve with the public’s best interest in mind.
Client acceptance is a very important step in the SOC examination process. The process should not be taken lightly, and as discussed, the results should be memorialized in the service auditor’s archives related to the accepted service organizations. The hope is that when the AICPA required client acceptance and continuance practices are followed, it will limit surprises for the service auditor, the service organizations, and the users of the report.
Linford & Company is an independent CPA firm that specializes in a variety of audit services, including SOC 1 and SOC 2 audits. If you have further questions on what Client Acceptance and Client Continuance entails, please review our website and contact us to see how we can further assist you and your organization.
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.