Who Can Perform a SOC Audit?
As the requirement to receive SOC 1 or SOC 2 reports as part of a contract, request for proposal (RFP), or security program increases as a barrier to receiving major clients, it’s important to understand who can perform these audits. This post will identify a number of questions to answer who exactly can perform SOC 1 and SOC 2 audits.
Can a Non-CPA Organization Perform a SOC 1 & SOC 2 Audit?
No. If a firm is not a certified CPA firm, then they cannot complete a SOC 1 or SOC 2 audit that will be acceptable in the eyes of the AICPA and users of the report cannot rely on the contents provided within.
A SOC 1 and SOC 2 examination has at least four main sections that users of the report should look for. Those include the following:
If a firm completes a SOC audit that is not a certified CPA firm, then they cannot provide an opinion of the contents detailed within the Description or Services and Results of Testing. Because of this, it is imperative to confirm that the firm your organization chooses to perform the SOC audit, meets this fundamental requirement.
Can Non-CPA Organizations Partner with CPA firms to Perform SOC 1 & SOC 2 Audits?
No. If you think otherwise, contact any member of the AICPA Trust Information Task Force. Any one of them would be more than happy to take down your information and have a dialogue with you about this topic.
With that said, the AICPA requires that team members that work on engagements have a certain level of competence and capabilities. While a non-CPA organization may have the technical capability to perform a review of the services or system being examined, they must also have experience with the following:
This, however, does not mean an auditor cannot enlist the use of a specialist, if required, to complete an audit. This question will be addressed in question number five.
Yes. As part of the AICPA Code of Conduct, CPA firms MUST be independent before they can engage with a client to perform an audit. The AICPA requires that “a member in the public practice should be independent in fact and appearance when providing auditing and other attestation services,” such as a SOC 1 or SOC 2 examination.
What are the Ramifications to the Service Organization if One of the Above has Happened?
Any user organization and/or user auditor that relied on the SOC 1 or SOC 2 examination report from the service organization may have placed unwarranted reliance on that SOC report. In other words, the user organization’s financial statement audit may have to be performed again for each period in which there was unwarranted reliance. Moreover, it is illegal to depart from state laws in regard to performing attestation services.
SOC 1 and SOC 2 follow the guidance found within the Statement on Standards for Attestation Engagement (SSAE 18). SSAE 18 is meant to be a clarification and recodification which replaces SSAE 16 as the standard for SOC 1 reports. SSAE 18 has integrated concepts found in AT-C section 105, Concepts Common to All Attestation Engagements; AT-C section 205, Examination Engagements; AT-C section 210, Review Engagements; and AT-C section 215, Agreed Upon Procedures. These standards together are now the standards for both SOC 1 and SOC 2 reports. For more information on SSAE 18, check out other posts linked within the summary section.
Guidance also exists that states that the only type of organization that may perform a SOC 1 and SOC 2 audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing some, but not all, of the relevant guidance supporting the comments above:
Can a Firm Use the Work of a Specialist to Perform a SOC 1 or SOC 2 Examination?
Yes. When engaging to perform a SOC 1 or SOC 2 examination, the auditor may decide it is necessary to enlist the use of a specialist. AT-C 205, Examination Engagements requires that auditors assess the following items:
Through consideration and documentation of the items listed above, an auditor can engage the use of a specialist.
The overall goal of an attestation engagement is to provide users of the report or clients of subservice organizations, in this case, with an opinion on the assertions made by management. As a result, report users can place reliance on the information before deciding whether they want to put an agreement or contract in place to use that system or service. Because reliance is placed on these reports to enter into or agreement often times, it is important to understand who exactly can perform a SOC 1 and SOC 2 audit.
The main take-away from this post is this: if the report is not completed by a CPA firm, the report should not be relied on.