The risks of quick‑turn SOC engagements and what CPAs should know

System and Organization Controls (SOC) reports are examinations performed by CPAs in accordance with the AICPA’s Statements on Standards for Attestation Engagements to evaluate the controls over customer data that service organizations such as cloud providers or payroll processors have in place. SOC reports provide independent assurance to the service organization’s customers, aka user entities, that those controls are suitably designed and operating effectively.

The entrance of technology vendors into the realm of SOC reporting has created some efficiencies, but it also has led to promises of “fast and easy” SOC reports that have raised credibility concerns in the marketplace.

In this episode of the Journal of Accountancy podcast, Amy Pawlicki, the AICPA’s vice president–Assurance & Advisory Innovation, discusses recent developments affecting SOC engagements. The conversation also highlights what CPAs, service organizations, and report users should watch for to protect trust in SOC reporting.

Other resources mentioned in the episode include:

• A JofA article on ethics risks related to SOC tool providers.
• The AICPA’s SOC landing page.
• Ethics Staff Insights: Business Arrangements With SOC Tool Providers.

What you’ll learn from this episode:

• What SOC reporting is — and why a SOC 2 report is not a certification.
• How a technology trend is threatening SOC credibility.
• The ethical risks related to SOC reporting tool vendors.
• The peer review and the AICPA Code of Professional Conduct requirements for CPAs performing SOC work.
• Where to find AICPA resources for firms, service organizations, and users.

Play the episode below or read the edited transcript:

— To comment on this episode or to suggest an idea for another episode, contact Neil Amato at Neil.Amato@aicpa-cima.com.

Transcript

Neil Amato: Welcome back to the Journal of Accountancy podcast. I’m your host, Neil Amato. A February JofA article had this headline: “Promises of ‘Fast and Easy’ Threaten SOC Credibility.” That topic and other related and recent developments are the subject of this episode. I’m talking to Amy Pawlicki, the AICPA’s vice president–Assurance & Advisory Innovation.

Amy, it’s been four years since you’ve been on the JofA podcast. Welcome back.

Amy Pawlicki: Thanks so much for having me back.

Amato: First, we’re going to be using an acronym or two. I’ve already mentioned one of them. It is SOC, that is S-O-C. What does SOC stand for, and what is a SOC audit or a SOC report?

Pawlicki: The acronym SOC actually stands for System and Organization Controls reporting. While there are a number of different flavors of SOC reports, what most people are thinking of when they talk about SOC is a SOC 2 report. What a SOC 2 report addresses specifically is system reliability for third-party service organizations. It’s intended to help companies that outsource to those third-party service organizations to feel comfortable that that service organization has the proper controls in place and that those controls are operating effectively to protect their client’s information.

It’s also really important to note that SOC 2 is not a certification. It’s actually an examination-level attestation engagement signed off on by a licensed CPA. This is a really important distinction because it means that SOC 2 provides a really high level of assurance. In fact, it’s the same level of assurance as that of a financial statement audit, and just like a financial statement audit has to be performed by a CPA under accepted auditing standards, so must a SOC 2 engagement be performed under accepted attestation standards. In this case, the standards we’re talking about are the AICPA attestation standards, which are promulgated by the independent AICPA Auditing Standards Board, which by the way, also promulgates auditing standards for private-company audits.

Attestation standards, for those who may not know, are basically standards that cover engagements of subject matters other than the audit of financial statements. What many people don’t realize is that these engagements are required under state law to be performed by licensed CPAs in accordance with what’s called the UAA, or Uniform Accountancy Act, definition of attest. This is really important because unlike other professionals, licensed CPAs are subject to many requirements that are intended to drive quality and protection of the public interest for those who rely on CPA reports, including requirements related to ethics and independence, performing services under robust professional standards, and having the requisite subject matter expertise for any services performed.

In the case of SOC reporting, a CPA performing one of these engagements has to have deep system reliability subject matter expertise related to topics like information security and privacy, among many other things.

Amato: Thank you for that opening summary. I’m glad you mentioned, obviously, the explanation of SOC. You also mentioned the ASB. I’m recording with ASB Chair Halie Creps here in a few weeks. We will also talk about attestation standards in that conversation. Going back to the article mentioned in the intro again, the headline is “Promises of ‘Fast and Easy’ Threaten SOC Credibility.”

We’ll have a link to that article in the show notes. Tools exist to streamline the work involved in a SOC engagement. What briefly is the specific concern in the marketplace today?

Pawlicki: I’m going to go back a little bit and then bring us up to present. Over time, as outsourcing has proliferated, and SOC 2 has become known as the gold standard and a market imperative for third-party service organizations that are looking to demonstrate to their customers that those customers can be confident in how data is being managed or handled.

Along the way, a number of tech vendors have emerged to take advantage of this growing market opportunity. It speaks to the success of SOC that there are a lot of people interested in getting involved. In some cases, these vendors are simply providing tools that help service organizations to organize their information to get ready for a SOC engagement and also tools that help CPAs to perform the engagements more effectively and efficiently, and this is great. We fully support the use of technology to drive innovation, efficiency, and quality, and that is what many tool vendors and many CPA firms that are working with tool vendors are doing today.

The problem is, this is not how all of the vendors are approaching the market. Some are looking to automate the service entirely, and when they’re doing that, they’re promising quick turnarounds and exceedingly low flat-rate prices for what they call SOC certification.

All of those things imply that every SOC engagement is the same, which really couldn’t be further from the truth. In reality, a SOC 2 engagement can cover one, two, three, four, or all five of the trust services criteria or any combination of those things. Those things cover information security, confidentiality, privacy, processing integrity, and availability of the system. They’re quite different.

Those engagements can be quite complex or relatively simple, depending on the nature of the business and industry that the service organization is operating in. You can’t just slap a SOC certification badge on every company that has a SOC engagement because that would imply they’ve all done the same things, and that’s not true. Those engagements are all different. And it’s also important that the services be done annually as things can change over time. What is really important is the SOC 2 report itself, which provides key information about the controls that the service organization has in place and the CPA’s opinion on whether or not those controls are operating effectively.

The biggest problem we’ve seen in the marketplace is technology vendors allegedly promising clean opinions and drafting boilerplate reports that are signed off on by a CPA who did not have any involvement and did not actually perform a SOC engagement. Licensed CPAs engaging in this activity who are properly enrolled in peer review should expect deficiencies in their peer review findings. Licensed CPAs who are not enrolled in peer review or unlicensed signatories representing themselves as CPAs signing off on fraudulent reports are actually violating state law.

Amato: A later JofA article published in early April on this topic says, “[M]embers should closely evaluate any terms that shift control, professional judgment, financial dependency, promotional efforts, or access to evidence away from the member and toward the tool provider.” Can you elaborate on the significance of that excerpt?

Pawlicki: This quote actually relates to a detailed technical publication that’s also posted to our website and to the AICPA online ethics library entitled Ethics Staff Insights: Business Arrangements With SOC Tool Providers. The bottom line is that in addition to peer review, licensed CPAs performing any type of assurance services are subject to key ethics considerations that are covered by the AICPA Code of Professional Conduct. This document covers those considerations in the context of business relationships that firms may have with SOC tool providers when they’re performing SOC engagements. That’s what the article and the related ethics staff insights piece cover.

These types of terms that were referenced in [the] quote, as well as some additional terms that the article goes on to cover, including limiting the CPA’s ability to set scope and timing of the engagement, to obtain evidence, or to communicate deficiencies, and remain objective can create ethics and independence threats. This is really important because, if you think about the purpose of the SOC engagement, these types of limitations by definition inhibit the CPA from being able to perform a high-quality engagement in accordance with the standards and with the Code of Professional Conduct.

Therefore, they also inhibit the ability of the CPA to objectively perform an engagement that truly assesses risk and protects the interests of the users of the reports and supports the high level of assurance that’s covered by the opinion.

Amato: Also important to emphasize and correct me if I’m wrong, the majority of SOC reports are done the right way. For those doing things the right way, what is the message on this topic?

Pawlicki: I think, given the media attention around allegations of fraud, there’s a tendency to forget that most service organizations are doing the right thing and hiring credible CPA firms with a lot of experience in the SOC space to perform their SOC engagements. And most CPA firms are using technology appropriately to drive client value. If anything, the media attention does shine a light on what the buyers and users of SOC reports need to understand to protect themselves, and it underpins the value of genuine SOC services and SOC reports.

Amato: If you’re a CPA firm trying to figure out what’s appropriate for working with a tech vendor, what do you need to know?

Pawlicki: On our website, we have a SOC landing page, and there are tons of resources on this landing page for CPA firms who are practicing in the SOC space. Those include all of our technical guidance, both authoritative and nonauthoritative, recent news items, basically anything you’d want to know if you’re practicing in this area. There are a couple of resources on that page that are specific to this question, including the ethics staff insights that we referenced previously. Also, there are very recently released FAQs on the effect of the use of software tools on SOC 2 examinations that you would want to look at.

Amato: If you’re a service organization or an entity that depends on one or more service organizations to protect your data, what do you need to know?

Pawlicki: Same thing, on the same SOC landing page. We also have resources for service organizations, including a document that’s highly relevant to this question called Information for Service Organization Management in a SOC 2 Engagement, and we have resources for companies that use service organizations and rely on SOC reports, including one document that’s particularly relevant called How to Perform Proper Vendor Management.

As I said earlier, it’s important that a licensed, knowledgeable CPA is actually performing the work and testing needed to confirm that relevant controls are in place and operating effectively. Without this, there’s really zero value to a boilerplate, fabricated report that’s rubber stamped by someone with zero involvement.

In this case, the service organization is really paying for nothing, and they’re also putting themselves at risk because, just as the companies that are relying on service organizations to do the right things to protect their information from being compromised, service organizations are incentivized not only to demonstrate that they’re protecting information to their customers, but also because if they don’t have the right controls in place and operating effectively, they’re at risk of a breach that could put them at significant financial and reputational risk. Having a reliable, independent, third-party CPA perform a service to provide confidence that systems are reliable and information is protected is just as important to the service organizations themselves as it is to the companies that outsource to them.

Amato: These are great reminders. We’ve mentioned a lot of resources, those resources and the JofA coverage will be linked in the show notes, as I said. Amy, anything to add in closing? Thanks for being on today.

Pawlicki: I’m oversimplifying here, but it comes back to the old adage, you get what you pay for. At the end of the day, when it comes to compliance, all parties need to remember that a check-the-box mentality is not a good long-term strategy. Compliance requirements and services like a SOC 2 engagement that help companies meet those compliance requirements are not easy because they address complex systems. But not addressing the risks inherent in those systems in a meaningful way could be much more costly for all parties involved, financially and reputationally.

Amato: Again, thanks to Amy Pawlicki, the AICPA’s vice president–Assurance & Advisory Innovation. This is Neil Amato with the Journal of Accountancy. Thanks for listening.