Within the framework established by the American Institute of Certified Public Accountants (AICPA), there are SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports. Each report has its own purpose, approach, materials used, goals and professional standard.
What Is AT Section 101?
AT section 101 is the specific part of the Attestation Standard, established by the AICPA, which serves as the professional standard for SOC 2 and SOC 3 audits. While businesses focusing on financial reporting adhere to the Statement on Standards for Attestation Engagements 18 (SSAE 18), AT Section 101 was designed to provide a set of industry-wide standards for performing SOC 2 and SOC 3 audits.
How It Serves Practitioners of SOC Audits
SOC audits are performed by certified public accountant or auditor, who is known as the “practitioner.” AT Section 101, along with any accompanying documentation, serves two primary functions for the practitioner in reporting:
- Provides principal support for the practitioner’s report that includes representation regarding observance of the standards of fieldwork. This function is implicit in the reference in the report to attestation standards, specifically in AT Section 23, entitled Suitability and Availability of Criteria. It states, “The practitioner must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users.”
- Assists the practitioner in conducting and supervising the attest engagement.
Related article: SOC 1 and SOC 2 Reports – What’s the Difference?
How It Serves Practitioners of Attest Engagements
AT Section 101 has become an increasingly important section of the Attest Engagements for reporting on controls at service organizations.
It applies to engagements in which an entity engages a CPA — or “the practitioner”— to issue an examination, review, or agreed-upon procedures report on specific subject matter regarding a service organization’s internal controls. The section may also be an assertion about the subject matter that is the responsibility of another party.
Attest documentation usually needs to confirm that the process by which the organization has developed its prospective financial statements was considered in determining the scope of the examination.
Choosing the Right Practitioner for SOC Audits & Attest Engagement
As companies becoming increasingly digitized, the need for SOC audits and the AT Section 101 professional standard will only increase. AT Section 101 will play a vital role in reporting on a service organizations’ controls due to the increasing reliance on cloud computing, SaaS, data hosting and digital integrations.
An attest engagement must be performed by a practitioner who has adequate training and experience in the attest function being performed. He or she must also be certain that the subject matter available can stand up to evaluation against suitable and available criteria. Your practitioner must also be independent in fact, philosophy, and approach when performing or supervising an attest function. This role is bound to the Standards of Fieldwork and for Standards of Reporting.
I.S. Partners, LLC is the first and only auditing firm that provides the “seal of excellence” to SOC recipients. Call us or request a quote so we can provide clarification.