SOC 2 (Service Organization Control) audit reports provide detailed information as well as an assurance about service organizations’ security, availability, confidentiality, and processing integrity. These reports are based on the organizations’ compliance with the Trust Services Criteria (TSC) of the American Institute of Certified Public Accountants (AICPA). A SOC 2 audit is a significant component in internal risk management and governance, regulatory oversight, and vendor management programs.
Today, many businesses often request service organizations to perform SOC 2 audits to ensure compliance with regulations relating to intellectual property and the privacy of customer data. If your organization is looking to conduct an audit for the first time, you should know how to go about the process. Likewise, you must find someone to perform the audit. However, the main question that always lingers is, who can conduct a SOC 2 audit?
Typically, SOC 2 audits are performed by independent Certified Public Accountants (CPA). While performing an audit, a CPA is required to comply with all of the current updates to each SOC audit type, as stipulated by the AICPA. Besides, the auditors also need to possess technical expertise, certification, and training to conduct such engagements.
Audits Should Only Be Performed by CPA Firms
As per AICPA guidelines, the firm that you engage to undertake a SOC 2 audit on your behalf must be CPA-certified. A firm that is not certified cannot perform either a SOC 1 or SOC 2 audit. If such firms go ahead and perform an audit, anyone who uses the audit report thereafter cannot rely on the credibility of its contents.
Since the AICPA regulates SOC auditors, they are required to comply with specific professional standards established by the organization. Also, they should follow specific guidance relating to the planning, execution, and supervision of audit procedures. The AICPA similarly allows its members to undergo a peer review process to ascertain that their audits comply with accepted industry standards.
While undertaking SOC 2 audits, CPA firms are allowed to employ non-CPA professionals who have relevant IT and information security skills. The work of these professionals is to help the firms prepare for an audit. However, the final report out to be prepared and issued by a certified public accountant. Successful SOC 2 audits undertaken by CPAs permit service organizations to include the AICPA emblem on their websites.
Can CPA Firms Partner With Non-CPA Organizations To Undertake An Audit?
According to the AICPA Trust information Taskforce, non-CPA organizations cannot partner with CPA firms to undertake SOC 2 audits. Team members who conduct the audit are required to possess a specific level of capabilities and competence. Although non-CPA firms or professionals should possess the technical expertise to review the system or services being examined, they also need to:
- Be experienced in evaluating the design of all controls as well as their operating efficiency. This ascertains that they have functioned for a specific period, and meet the requisite service criteria, as stated in the report.
- Understand the professional standards stipulated by theAICPA’s Code of Conduct and other audit standards that require auditors to apply professional judgment and skepticism.
Before a CPA firm enlists the services of a specialist during an audit, the following should be assessed.
- The specialist should possess the requisite skills besides understanding the system of service that is getting audited. Likewise, specialists must also be independent for them to take part in the audit.
- There should be sufficient evidence available to auditors to determine whether the specialists have the requisite proficiency and expertise. They should also understand their roles and the scope of their work during the SOC 2 audit.
- The auditor and specialist should agree on the objectives, scope, and nature of the work that the latter will undertake. Likewise, the confidentiality requirements and duties of the specialists must be clearly highlighted.
CPA firms can be exempt from SOC 2 audits. The AICPA requires CPA firms to be independent for them to perform SOC 2 audits. According to the AICPA Code of Conduct, a member organization must be independent in both fact and appearance for it to provide SOC 2 audit and attestation services.
If clients or service providers entrust your organization with private or confidential data, you should regularly undertake SOC 2 audits. Reports from such audits go a long way in helping you gain trust in the eyes of your clients and other stakeholders. The reports also help you to meet the specific needs of your clients and the industry at large.
Nonetheless, not everyone can perform a SOC 2 audit. The task should be left to independent certified public accountants who understand AICPA guidelines. Engaging these experts during an audit ensures that the final report meets the five trust principles of the AICPA. With an audit report prepared by experts, you will be able to pinpoint areas of weakness, something that helps you stay SOC 2-compliant.