A growing number of businesses are requesting that service organizations perform regular SOC audits to ensure adherence to set controls and objectives that serve to protect customer information, human resource data and intellectual property that all becomes increasingly vulnerable with each additional entity that has access to it.
You may be wondering how to go about performing a SOC audit. Just as importantly, you may wonder who is certified to complete a SOC audit.
Take a few moments to learn who can best help your organization get through your next SOC audit with flying colors.
What Are SOC Reports?
System and Organization Control (SOC) reports were developed specifically for third party service organizations by the American Institute of Certified Public Accountants (AICPA). The reports focus on the service organization’s internal controls, which amounts to a detailed list of AICPA-governed policies and procedures. Internal controls are so important because they impact the user entity’s sensitive data.
Client organizations, also known as user entities, must comply with certain regulatory and/or contractual requirements—particularly when handing customer or patient data—that naturally require service organizations to do the same. With this report, a user entity can obtain an objectively performed evaluation of a service organization’s controls that address operations, financial reporting and compliance of a specified service organization.
The primary question for many service organizations is: who is certified to perform SOC audits?
Who Is Certified to Perform and Complete a SOC Audit?
SOC audits can only be performed by an independent Certified Public Accountant (CPA). The CPA must comply with all the most current updates to each type of SOC audit, as established by the AICPA. The CPA, or auditor, must also have the technical expertise, training and certification to perform such engagements.
Therefore, if the auditing firm you normally engage is not a certified CPA firm, they cannot perform a SOC 1 or SOC 2 audit that fully complies with the standards set by the AICPA. Further, anyone intending to use the report cannot rely on the validity of the contents within.
Each SOC 1 and SOC 2 audit features at least four main sections that users of the report will need to look for, including the following:
- Management’s Assertion
- Description of Services
- Auditor’s Opinion
- Results of Testing
The crucial portion of the SOC audit is what comes next, and that is the point at which the auditor provides an opinion on the contents detailed within the Description of Services and Results of Testing. If the auditor does not have the proper, or the firm is not CPA certified, they cannot provide an opinion at this crucial juncture.
This non-negotiable condition from the AICPA makes it essential for the business—whether the service organization or the user entity—interested in performing a SOC audit ensures that the auditing firm meets this fundamental requirement.
Are There Any Workarounds That Allow a Business to Engage a Non-CPA Organization for SOC Audits?
The short answer is “no.” The confusion for businesses is easy to understand since many businesses hire accountants who, for a variety of possible reasons, may not be a CPA. These organizations might have counted on their trusted accountant, also known as a bookkeeper at times in these cases, for years to perform tasks that include designing and implementing accounting systems for new companies, performing bookkeeping functions, managing cash flow questions, and preparing and filing tax returns.
While valuable to the accounting and auditing community, these professionals do not have the expertise or certification to work with businesses that need to perform SOC audits. The AICPA requires that anyone engaged to work with SOC audits hold a certain level of competence and capabilities that help them earn CPA status.
Even if a long-trusted non-CPA auditor has learned the process and steps to perform a SOC audit—and could perform one adequately, or even perfectly—he or she does not have the true technical capability to perform a review of the system or services up for examination. He or she may not be able to decipher the crucial differences between SOC 1 and SOC 2 audits.
Further, it is not permissible to work with a non-CPA auditing firm to perform the groundwork of the SOC audit before enlisting the services of a CPA firm to provide an opinion. Businesses must use a certified firm from the beginning to the end of the process to ensure two main points:
- The evaluation of the design of controls and the operating effectiveness to confirm that they have functioned for the service organization over a period of time, and that they meet the applicable Trust Services Criteria (TSC) included in the report.
- The understanding of professional standards that are required by the ACIPA, which includes the AICPA Code of Conduct, along with other audit standards that provide auditors with the tools to apply professional skepticism and judgment, as required.
Can Internal Auditors Perform SOC Engagements?
Yes, but only if the internal auditor is also a certified public accountant (CPA). Internal auditors are not generally required to be CPA certified.
Is There Anything That Might Bar a CPA Organization from Performing a SOC Audit?
Yes, the AICPA Code of Conduct requires that CPA firms must be independent, in fact and appearance, before engaging with a client to perform an audit.
What Happens If a Business Engages a Non-CPA Auditing Firm?
The SOC report, whether SOC 1 or SOC 2, would be deemed invalid and would need to be performed again, according to the Code of Conduct created by the AICPA.
Do You Need a Certified CPA to Perform Your Upcoming SOC Audit?
Do you need more information about the SOC audit and who can perform it for you to ensure the best outcome? Our team at I.S. Partners, LLC. can answer all your questions regarding the latest updates on the AICPA’s policies and procedures.