SOC engagements: Ethics risks with tool providers

By AICPA Professional Ethics Division Staff

April 6, 2026

March 27, 2026

IESBA to assess need for standards on alternative practice structures

March 24, 2026

Audit report card: More internal audit teams suffered cuts in 2025

March 16, 2026

What to know about AI guardrails, leasehold improvements, and the latest ASB developments

The AICPA Code of Professional Conduct (Code) includes key ethics considerations for members who have a business arrangement with a SOC 2® tool provider while also performing System and Organization Controls (SOC) examination engagements under the AICPA Statements on Standards for Attestation Engagements (SSAEs) for the tool provider’s customers. (These considerations may also be relevant to other types of audit and attest services.)

As these arrangements become more common and more formal — for example, via contracts — members should closely evaluate any terms that shift control, professional judgment, financial dependency, promotional efforts, or access to evidence away from the member and toward the tool provider.

Furthermore, any arrangement that limits the member’s ability to set scope and timing, obtain evidence, communicate deficiencies, or remain objective can create ethics and independence threats.

Service auditors should also be alert to circumstances that may threaten compliance with the attestation standards as highlighted in “Promises of ‘Fast and Easy’ Threaten SOC Credibility,” JofA, Feb. 1, 2026.

Terms used in this article

In this article, “service auditor” refers to the member or member’s firm that performs the SOC examination and issues the related report.

The “service organization” is the auditor’s attest client and is also the customer of the SOC tool provider.

A “SOC 2 tool provider” is a vendor that supplies software or services used by service organizations to help design, operate, and monitor the effectiveness of controls and to support reporting, in connection with SOC 2 readiness and ongoing compliance activities.

Applicable authoritative guidance

Service auditors should apply the Code in its entirety when performing SOC 2 examinations. For SSAE engagements, limited modifications to the application of the “Independence Rule” (ET §1.200.001) are in the “Independence Standards for Engagements Performed in Accordance With Statements on Standards for Attestation Engagements” subtopic (ET §1.297).

Responsible party

If the tool provider is a “responsible party” under the SSAEs, the service auditor must be independent of the tool provider as well as the service organization. Determining this depends on what services the tool provider provides and what is in scope for the examination.

Network firm considerations

Some arrangements can create independence threats if the tool provider is part of the firm’s network or in an alternative practice structure. If the tool provider is in the service auditor’s network, the service auditor should consider the tool provider’s interests and relationships with attest clients when evaluating independence.

Ethical conflicts

Ethical conflicts can arise when a service auditor is faced with pressure from a tool provider — for example, when the service auditor’s obligations under the Code do not align with legally enforceable contracts with the tool provider. The “Ethical Conflicts” interpretation (ET §1.000.020) calls for the service auditor to consider consulting within the firm or with appropriate professional or legal resources.

If the conflict cannot be resolved, the service auditor should consider ending the business arrangement or declining or discontinuing the engagement.

Use the conceptual framework and safeguards

Even if the tool provider is not a responsible party and not part of the firm’s network, a business arrangement with a tool provider that also serves the service auditor’s attest clients can still create threats to independence, objectivity, and compliance with the Code.

If the Code does not directly address the circumstance or relationship, service auditors should use the conceptual framework approach: identify threats, evaluate whether they are significant, and apply safeguards to eliminate or reduce them to an acceptable level. This structured approach is outlined in “Conceptual Framework for Members in Public Practice” (ET §1.000.010) and “Conceptual Framework for Independence” (ET §1.210.010).

When threats are significant, safeguards must be put in place. If safeguards are not available or do not eliminate threats, performing or continuing the examination will not be appropriate.

When safeguards are applied to eliminate significant threats or reduce them to an acceptable level, it is best practice to document the evaluation and conclusion reached. Be aware that when applying the “Conceptual Framework for Independence,” documentation of safeguards applied is required.

Refer to available toolkits and resources, such as the AICPA’s Conceptual Framework Toolkit for Members in Public Practice, for practical support in applying the framework.

Common threats

Business arrangements with tool providers may create threats to a service auditor’s compliance with the Code, such as these:

Undue influence threat, specifically pressure to subordinate judgment.
Self-interest threat, specifically financial or other benefits tied to fee arrangements with the tool provider.

The following sections illustrate how these threats can emerge in contracts and working relationships. If a threat is significant, service auditors should apply a relevant interpretation or the conceptual framework.

Objectivity, conflicts of interest, and independence

The “Integrity and Objectivity Rule” (ET §1.100.001) and the “Conflicts of Interest for Members in Public Practice” interpretation (ET §1.110.010) require service auditors to remain objective and not subordinate professional judgment.

SOC 2 examinations also require independence. Independence threats can arise from a tool provider’s relationships and actions — even when the tool provider is not under the service auditor’s control.

Arrangements that may create self-interest or undue influence threats include:

Cross-referral arrangements (with or without compensation) when the service auditor has a concentration of client introductions or referrals from a tool provider or an exclusive relationship with a tool provider.
Tool provider involvement in the examination, such as contractual rights to observe audit work, sit in on service auditor–client discussions or otherwise appear to participate in or influence the examination.
Tool provider-driven deadlines that require completion within a fixed time frame without appropriate regard to the service auditor’s professional judgment about scope, risk, staffing, and evidence needs.

Bundled services is a model in which the tool provider sells a “package” that includes the SOC 2 examination and sets the examination fee. Another contractual term may permit the tool provider to unilaterally change the examination fee.

The examination fee must be set by the service auditor using professional judgment and must not be influenced by the tool provider’s services, except as permitted by the “Determining Fees for an Attest Engagement” interpretation (ET §1.230.030). If a third party effectively controls the audit fee or ties it to other services, independence may be impaired. The service auditor may consider efficiency gained from familiarity with the tool but not use the provider’s separate services to justify the examination fee.

Obtaining sufficient evidence and meeting SSAE requirements

Threats to objectivity can also become threats to compliance with standards. Contract terms that restrict how the service auditor performs the work can threaten the auditor’s ability to comply with the SSAEs.

Examples of contract terms that can conflict with the “Compliance With Standards Rule” include:

“Non-disparagement” clauses or limitations on the tool provider’s liability that effectively prevent the service auditor from communicating required matters to the client.
Requirement for the service auditor to pay the tool provider to access evidence needed for the examination, raising questions about whether the service auditor can obtain sufficient, appropriate evidence in all circumstances.

If contract terms or business pressure interfere with professional standards, service auditors should consider the “Ethical Conflicts” interpretation.

Also, service auditors should consider whether any payments to or from the tool provider are, in substance, referral fees that require written disclosure to the attest client under the “Commissions and Referral Fees Rule” (ET §1.520.001)

Advertising and other forms of solicitation

The Code establishes boundaries regarding how service auditors may obtain clients and prohibits the use of false, misleading, or deceptive advertising and solicitation. Service auditors are also responsible for ensuring that third-party promotional activities tied to their services comply with the Code.

A service auditor cannot “outsource” misleading marketing to a vendor to avoid compliance with the rules.

Examples of advertising practices that may be prohibited by the Code include:

Guaranteeing outcomes (for example, “clean audit,” “100% pass rate,” or similar promises that create unjustified expectations).
Misstating credentials (for example, calling the service auditor “AICPA-approved”).

Examples of contractual terms that create threats to the “Advertising and Other Forms of Solicitation Rule” (ET §1.600.001) include:

Requiring both parties to use reasonable efforts to convince the service organization to retain both parties or prevent each party from “disparaging” one another.
Allowing the vendor to insert materials around the SOC report.

Practical takeaways

As business arrangements between SOC 2 tool providers and service auditors become increasingly common and formalized — often through written contracts — service auditors need to carefully evaluate any aspects of the arrangement that could shift control, professional judgment, financial dependence, promotional responsibilities, or access to evidence away from the auditor and toward the tool provider.

Ultimately, any such arrangement that restricts a service auditor’s ability to determine scope and timing, obtain sufficient appropriate evidence, communicate deficiencies, or maintain objectivity may introduce significant ethics and independence threats.

Where threats are significant, service auditors should implement safeguards and document the evaluation. If the arrangement would prevent compliance with the Code or the SSAEs, the service auditor should decline or discontinue the engagement or business arrangement.

To take a deeper dive into this subject — including more resources and analysis — visit the AICPA Online Ethics Library after April 27 and find “Relationships With SOC Tool Providers” under Ethics Staff Insights. Division staff are available on the ethics hotline to help with questions about application of the AICPA Code of Professional Conduct. To access the hotline, email ethics@aicpa.org or call 888-777-7077, option 3, then option 3.

— The SOC 1®, SOC 2®, and SOC 3® marks are registered trademarks of the AICPA. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

MEMBER RESOURCE

SOC engagements: Ethics risks with tool providers

IESBA to assess need for standards on alternative practice structures

Audit report card: More internal audit teams suffered cuts in 2025

What to know about AI guardrails, leasehold improvements, and the latest ASB developments

Terms used in this article

Applicable authoritative guidance

Responsible party

Network firm considerations

Ethical conflicts

Use the conceptual framework and safeguards

Common threats

Objectivity, conflicts of interest, and independence

Obtaining sufficient evidence and meeting SSAE requirements

Advertising and other forms of solicitation

Practical takeaways

Features

Elder fraud rises as scammers use AI

How to protect nonprofits from hidden fraud risks

Ways to de-risk concentrated stock portfolios

How are finance teams really using AI and automation?

SPONSORED REPORT

How to find the right CAS clients

From The Tax Adviser

Current developments in taxation of individuals: Part 1

Current Developments in Taxation of Individuals: Part 1

Considerations for intergenerational split-dollar arrangements

Navigating the Form 1099-DA reporting maze

MAGAZINE

HOME

ABOUT

SUBSCRIBE

AICPA & CIMA SITES