AICPA Warns Users on How SOC 2 Tools Can Impact Auditors’ Responsibilities & Compliance
As companies increasingly utilize SOC 2 tools to streamline their compliance processes, it’s essential to understand the potential implications these tools may have on service auditors’ responsibilities and professional conduct. This article will examine the benefits and potential pitfalls associated with using SOC 2 tools, as well as the impacts on service auditors’ ethical compliance and objectivity in various scenarios.
The AICPA recently published a cautionary note regarding the improper use of tools developed by non-CPA software creators aimed at enhancing service organizations’ readiness for SOC 2 examinations. According to ” FAQs – Effect of the Use of Software Tools on SOC 2® Examinations”, incorrect usage of these tools could lead to SOC 2 examinations and associated reports that fail to comply with professional standards.
Advantages of Using SOC 2 Software
Utilizing software to automate the SOC 2 audit process offers several advantages for both service organizations and auditors. These benefits include enhanced efficiency through centralized documentation organization, improved management of risk assessments, vendor management, and control monitoring, as well as potential time and cost savings. By leveraging software solutions in the SOC 2 audit process, organizations can streamline their compliance efforts and better maintain robust security controls within their systems.
SOC 2 tools can improve the efficiency of service organizations by collecting and organizing documentation in a central repository or integrated data connections, which allows service auditors easier access to the information.
Some automated SOC 2 tools may enable service organization management to perform functions—like risk assessment, vendor management, and control monitoring–more effectively.
Risks of Using SOC 2 Software & How We Address Them
Although using software to automate the SOC 2 audit process can offer many benefits, there are also potential risks associated with its implementation. Some of these risks include incorrect setup or configuration of the tool, which could lead to inaccurate information and improper conclusions in the audit.
Additionally, there may be a risk of overreliance on the tool by management, which could result in inadequate control design and maintenance. The use of such software also might present challenges in maintaining compliance with professional standards and ethical rules for service auditors, particularly when dealing with potential conflicts of interest arising from business relationships between auditors and SOC 2 tool providers. It is essential to properly manage these risks to ensure a successful and accurate SOC 2 audit process.
Risk: Incorrect Set-Up
Tools need to be properly designed, configured, and managed to ensure that they provide the expected benefits. If the SOC 2 software is not set up properly, it may give the service auditor wrong information, leading to incorrect conclusions in the SOC 2 examination. For example, if the tool doesn’t collect data correctly from your organization’s systems, it may show inaccurate information.
Solution: Guided Set-Up
“No tool is perfect; they all have their challenges, and we are good at identifying what those are and how to work around them. A lot of these tools will automatically generate a set of controls and a set of requests in preparation for a SOC 2 audit. Yet, every client’s environment is different and every audit looks different in real life. We help our clients from the very beginning to make sure that everything is set up correctly.”– Phil LaRocca, CISA, IT auditor, and senior consultant at I.S. Partners
Risk: Incorrect Usage
If your organization’s management doesn’t have the right skills or knowledge to use the SOC 2 tool properly, they might heavily rely on the tool’s built-in features, such as its risk assessment function, list of common controls, or library of policies and procedures. As a result, management may not be able to take responsibility for designing and maintaining effective controls to meet their commitments and system requirements.
Solution: Assisted Implementation
“I.S. Partners is agile; we’re proficient with technology and adept at understanding and utilizing software tools to in order to successfully deliver an end report. As a firm, we understand fully the details of the Trust Services Criteria. We have a reasonable grasp on the points of focus within the SOC 2 framework, so we understand how to enable software tools to accurately reflect our clients’ control environments as well as enable the request process to ensure that we are getting sufficient and adequate evidence for the audit.”– Joe Ciancimino, CISA, CRISC, and director at I.S. Partners
Risk: Non-Compliance with All Relevant Standards
Service auditors need to ensure that using a SOC 2 tool does not change their responsibilities to comply with relevant professional and ethical standards.
Solution: Experience with Tools & Audits
“I.S. Partners’ auditors really know the points that need to be addressed for an comprehensive SOC 2 audit. A tool, on the other hand, may not address all those points in the TSC. We’ve seen instances where some documentation is missing, or the tool is not guiding the client along industry best practices. So, we work with our clients to resolve those challenges. Our end goal is to make our clients’ lives easier.”– Joe Ciancimino, CISA, CRISC, and director at I.S. Partners
Risk: Conflict of Interest
Certain business relationships between service auditors and SOC 2 tool providers may threaten the auditor’s compliance with professional and ethical responsibilities. There could be circumstances where using an automated SOC 2 platform can threaten the service auditor’s independence, especially if the tool provider is considered a subservice organization that’s part of the examination.
Solution: Software-Agnostic Stance
“We will always maintain our independence as a firm and examine what we see accordingly. We talk frankly with our clients and ask questions about every control to make sure that we maintain our objectivity in the audit process—regardless of the software platform they are using.”– Phil LaRocca, CISA, IT auditor, and senior consultant at I.S. Partners
Risk: Compromised Ethical Compliance and Objectivity
Depending on the relationship between the service auditor and the software provider, some situations may threaten compliance with ethical rules and professional objectivity. For example, if the software provider promotes the service auditor’s services and offers discounts on the auditor’s fees, or if the auditor pays the SOC 2 software provider for client referrals.
Solution: Procedural Operations Based on Ethics
“I.S. Partners doesn’t have exclusive relationships with any software companies. In fact, we maintain a software-agnostic stance in support of our ethical obligations and due diligence. We are serious about going into every engagement with an open mind, and no expectations. In any instance, whether we are using a software tool or starting from scratch, our clients could give us a set of controls and requests, but we re-validate all of that information. That’s built into our procedural operations when doing audits. We perform re-validation of every control within an engagement specifically to maintain objectivity.”– Joe Ciancimino, CISA, CRISC, and director at I.S. Partners
How does the use of a SOC 2 tool affect the auditor’s responsibilities?
The service auditor is in charge of conducting a SOC 2 examination according to the required guidelines. Although using a SOC 2 tool doesn’t change the auditor’s responsibilities, it might affect how the auditor carries out those responsibilities. Here are a few examples:
- If management uses a SOC 2 tool’s list of common controls without customizing them to the organization’s specific needs, they might not address unique risks. For instance, a tool might suggest quarterly vulnerability scans, but an organization in a high-risk industry might require more frequent scans. Management must customize controls to the organization to prevent gaps in control design and negatively impacting the auditor’s opinion.
- When management uses a SOC 2 tool to collect documents for the auditor, the software-generated information is considered information provided by the entity (IPE). Management is expected to verify the accuracy and completeness of this information. The auditor’s responsibility to obtain enough evidence to support their opinion remains the same. The auditor needs to verify the reliability of the IPE and may perform procedures to ensure the platform works as expected.
- If an organization uses an automated SOC 2 tool and services provided by the same company, the auditor needs to understand the processes and controls performed by the software. Management is responsible for determining if the software provider is a sub-service organization and addressing any risks and controls associated with them. If the software company is a responsible party in the examination, the service auditor needs to maintain independence from software company.
This is why the AICPA advises that using a SOC 2 tool may affect how service auditors meet their responsibilities, but their main responsibilities remain the same.
Can a service organization’s use of a SOC 2 tool create situations that threaten an auditor’s independence?
Yes, there are circumstances where using an automated SOC 2 platform can pose threats to the service auditor‘s independence. If the tool provider is considered a sub-service organization and the service organization’s management chooses to use the inclusive method to describe the services provided by the sub-service organization, the sub-service organization’s management would also be considered a responsible party in the SOC 2 examination. In these types of situations, the service auditor must maintain independence from the sub-service organization.
Can business relationships between an auditor and a SOC 2 tool provider threaten the auditor’s ethical compliance and objectivity?
Yes, depending on the nature of the relationship between the service auditor and the software provider, some situations may threaten compliance with ethical rules and professional objectivity.
Discounts and Objectivity
For example, if the software provider promotes the service auditor’s SOC 2 services and promises clients a discount on the auditor’s fees, the auditor should refer to the “Integrity and Objectivity Rule” and the “Advertising and Other Forms of Solicitation Rule.” The auditor needs to make sure that the software company’s offer is not false, misleading, or deceptive.
Referral Fees and Disclosure
If, for example, the auditor pays the SOC 2 software provider for client referrals, then the “Commissions and Referral Fees Rule” applies. The auditor should disclose the referral fee in writing to all new clients.
Audit Evidence and Reliable Accuracy
Here’s another example. If the service auditor relies only on the SOC 2 tool to generate all audit evidence and wants to sign the SOC 2 report generated by the tool, they must still comply with the “Compliance with Standards Rule.” The auditor’s responsibilities in a SOC 2 audit don’t change because the service organization uses a SOC 2 tool and must ensure they follow all applicable standards.
Overall, the nature of the relationship between the service auditor and the SOC 2 software company matters, and the auditor should always ensure that they comply with the relevant ethical rules and professional standards.
While SOC 2 tools can offer efficiency and improved management for service organizations, they can also present challenges in maintaining compliance with professional standards and ethical rules for service auditors. It is crucial for auditors to be mindful of their responsibilities and potential conflicts of interest that may arise while using these tools. Ultimately, the key to successfully leveraging SOC 2 tools lies in understanding their potential effects and diligently adhering to the professional and ethical guidelines established to maintain utmost integrity throughout the auditing process.
Work with Accredited CPAs on the Software of Your Choice
SOC 2 tools are not a replacement for a trustworthy CPA SOC auditor. Unlike software-only solutions, I.S. Partners ensures that clients have the guidance needed to prepare for a SOC 2 audit and are ready to perform the actual audit. None of the testing is outsourced, and there is no need to engage another firm.
I.S. Partners is ready for this next step in SOC 2 audit automation. Our firm has decided to be software-agnostic, meaning that we are happy to work with clients on the software of their choice. Clients can choose to use our compliance management software, called SAAM, or bring their own. Either way, they get the efficiency and clarity that comes with using a SOC 2 tool plus the expert advice of certified CPAs—at every step.