As the requirement to receive SOC 1 or SOC 2 reports as part of a contract, request for proposal (RFP), or security program increases as a barrier to receiving major clients, it’s important to understand who can perform these audits. This post will identify a number of questions to answer who exactly can perform SOC 1 and SOC 2 audits.
Can a Non-CPA Organization Perform a SOC 1 & SOC 2 Audit?
No. If a firm is not a certified CPA firm, then they cannot complete a SOC 1 or SOC 2 audit that will be acceptable in the eyes of the AICPA and users of the report cannot rely on the contents provided within.
A SOC 1 and SOC 2 examination has at least four main sections that users of the report should look for. Those include the following:
- Management’s Assertion
- Auditor’s Opinion
- Description of Services
- Results of Testing
If a firm completes a SOC audit that is not a certified CPA firm, then they cannot provide an opinion of the contents detailed within the Description or Services and Results of Testing. Because of this, it is imperative to confirm that the firm your organization chooses to perform the SOC audit, meets this fundamental requirement.
Can Non-CPA Organizations Partner with CPA firms to Perform SOC 1 & SOC 2 Audits?
No. If you think otherwise, contact any member of the AICPA Trust Information Task Force. Any one of them would be more than happy to take down your information and have a dialogue with you about this topic.
With that said, the AICPA requires that team members that work on engagements have a certain level of competence and capabilities. While a non-CPA organization may have the technical capability to perform a review of the services or system being examined, they must also have experience with the following:
- Evaluating the design of controls and the operating effectiveness to confirm that they have functioned over a period of time and meet the applicable trust service criteria included in the report.
- Understand professional standards that are required by the AICPA such as the AICPA Code of Conduct along with other audit standards that allow auditors to apply professional skepticism and judgment as required.
This, however, does not mean an auditor cannot enlist the use of a specialist, if required, to complete an audit. This question will be addressed in question number five.
Are There Any Times a CPA Organization Cannot Perform a SOC 1 and SOC 2 Audit?
Yes. As part of the AICPA Code of Conduct, CPA firms MUST be independent before they can engage with a client to perform an audit. The AICPA requires that “a member in the public practice should be independent in fact and appearance when providing auditing and other attestation services,” such as a SOC 1 or SOC 2 examination.
What are the Ramifications to the Service Organization if One of the Above has Happened?
Any user organization and/or user auditor that relied on the SOC 1 or SOC 2 examination report from the service organization may have placed unwarranted reliance on that SOC report. In other words, the user organization’s financial statement audit may have to be performed again for each period in which there was unwarranted reliance. Moreover, it is illegal to depart from state laws in regard to performing attestation services.
SOC 1 and SOC 2 follow the guidance found within the Statement on Standards for Attestation Engagement (SSAE 18). SSAE 18 is meant to be a clarification and recodification which replaces SSAE 16 as the standard for SOC 1 reports. SSAE 18 has integrated concepts found in AT-C section 105, Concepts Common to All Attestation Engagements; AT-C section 205, Examination Engagements; AT-C section 210, Review Engagements; and AT-C section 215, Agreed Upon Procedures. These standards together are now the standards for both SOC 1 and SOC 2 reports. For more information on SSAE 18, check out other posts linked within the summary section.
Guidance also exists that states that the only type of organization that may perform a SOC 1 and SOC 2 audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing some, but not all, of the relevant guidance supporting the comments above:
- “[A]uditor should not assume responsibility for the predecessor auditor’s work or issue a report that reflects divided responsibility” (AICPA, AU315.16).
- “The independent auditor also has a responsibility to his profession, the responsibility to comply with the standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics, and licensing requirements.
- “No person, partnership, professional corporation, or limited liability company shall, without an active certificate of certified public accountant or a valid registration: Attest or express an opinion, as an independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
- “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA, AT101.42).
- “Attest services may only be rendered through firms holding permits from the state” they are performing attest services. (Uniform Accountancy Act, Section 7).
Can a Firm Use the Work of a Specialist to Perform a SOC 1 or SOC 2 Examination?
Yes. When engaging to perform a SOC 1 or SOC 2 examination, the auditor may decide it is necessary to enlist the use of a specialist. AT-C 205, Examination Engagements requires that auditors assess the following items:
- Does the specialist have the required skills to understand the service or system and do they have the required independence to complete the required work?
- Is enough evidence available to the auditor to determine whether the specialist has the necessary proficiency to understand the nature of the specialist’s work along with the scope of their expertise, and determine whether the objective of their work meets the needs of their expected role as a specialist?
- Will the auditor and the specialist be able to come to an agreement on the expected work (i.e. nature, scope, and objectives) to be completed by the specialist, the roles and responsibilities that will be required of the specialist, when and the extent of work expected by the specialist, and the duties and any confidentiality requirements that are expected of the specialist.
Through consideration and documentation of the items listed above, an auditor can engage the use of a specialist.
The overall goal of an attestation engagement is to provide users of the report or clients of subservice organizations, in this case, with an opinion on the assertions made by management. As a result, report users can place reliance on the information before deciding whether they want to put an agreement or contract in place to use that system or service. Because reliance is placed on these reports to enter into or agreement often times, it is important to understand who exactly can perform a SOC 1 and SOC 2 audit.
The main take-away from this post is this: if the report is not completed by a CPA firm, the report should not be relied on.
Please contact us if you would like a SOC audit performed for your organization. For more information check out some of our other articles that relate to SOC reports below:
- SOC 1 Reports – SSAE 18 Replaces SSAE 16
- SSAE 18 – Attestation Standards: Clarification and Recodification
- SOC 1 vs. SOC 2 – What is the Difference and How do you Know What you Need?
- What Is The AICPA?
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.