Technical Practice Aids issued on SOC reports


The AICPA issued Technical Practice Aids (TPAs) 9520.12–.26 to provide nonauthoritative guidance regarding Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization (AICPA, Professional Standards, AT sec. 801).

The TPAs provide guidance for service auditors reporting on controls at a service organization relevant to user entities’ internal control over financial reporting (ICFR), and also to user auditors who audit the financial statements of entities that use a service organization. SSAE no. 16 supersedes the guidance for service auditors that is in Statement on Auditing Standards no. 70, Service Organizations (AICPA, Professional Standards, AU sec. 324). The guidance for user auditors will remain in the auditing standards.

The TPAs cover topics including the effect of moving the guidance for service auditors from the auditing standards to the attestation standards, the changes introduced by SSAE no. 16, the content of management’s assertion, determining whether an outside CPA firm that performs significant accounting and financial reporting processes and controls for a user entity is a service organization, and reporting on a service auditor’s engagement under both SSAE no. 16 and International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization.

TPAs 9520.01–.11 replace TIS section 9520, Service Organization Standards and Implementation Guidance, in AICPA Technical Practice Aids. The section is now titled SSAE No. 16, Reporting on Controls at a Service Organization.

In addition, TIS section 9530, Service Organization Controls (SOC) Reports, in AICPA Technical Practice Aids was issued to include TPAs 9530.01–.22 to provide nonauthoritative guidance on reporting on controls at a service organization relevant to subject matter other than user entities’ ICFR, specifically controls at a service organization relevant to the security, availability or processing integrity of a system or the confidentiality or privacy of the information the system processes. This engagement uses the Trust Services criteria to evaluate a system’s attributes. These TPAs provide information about and differentiate the three service organization controls (SOC) engagements included in the SOC report series (SOC 1 for SSAE no. 16 engagements; SOC 2 and SOC 3 for reporting on controls over the attributes of a system using the Trust Services criteria).

The TPAs provide information about the source of the guidance for performing and reporting on these engagements, and the authority of the new SOC 1 and SOC 2 guides. The section also includes a table that (1) identifies a variety of attestation engagements that involve reporting on controls and (2) the appropriate attestation standard or interpretive guidance to be used in the circumstances.

More from the JofA:

 Find us on Facebook  |   Follow us on Twitter  |   View JofA videos

SPONSORED REPORT

Why cybercriminals are targeting CPAs

This free report expands on the most commonly found scams, why education and specialized IT knowledge help to lessen security vulnerabilities, and why every firm should plan carefully for how it would respond to a breach.

PODCAST

How tax reform — and Excel — are changing the CPA Exam

Mike Decker, the vice president of examinations at the AICPA, discusses changes being made to the exam as a result of tax reform — and about how Excel will now be available for use on the test.