The adoption of cloud computing and growth in outsourcing key financial services has grown exponentially over the years. The American Institute of CPAs (AICPA) created a framework for assessing whether or not their business and system controls are reliable and trustworthy (System and Organization Control reporting or SOC reporting).

SOC reporting has been around for some time to ensure these service organizations are providing the proper protection of private information or providing complete and accurate reports to their customers relying on that data for their financial statements. SOC reports have become an increasingly important priority for services providers, their users, and the companies that provide audit and compliance services for those users. Recently, the AICPA released a new standard impacting both SOC 1 and SOC 2 reporting.

New SOC Reporting Changes Effective May 1, 2017

If you issue or receive a SOC 1 or SOC 2 report, recent changes issued by the AICPA will not only impact your service auditor’s requirements, but also impact your requirements as a service organization or as a reader of a service organization’s report. These changes outlined in the SSAE No. 18 (Statement on Standards for Attestation Engagements) went into effect on May 1, 2017.

The primary changes for SOC reporting include new requirements for the following areas:

    1. IPE (Information Produced by the Entity)—The new SSAE No. 18 requires practitioners to obtain evidence about the accuracy and completeness of the information provided by the service organization. What this means for service organizations is that they may be required to provide more evidence than in the past.  Your service auditor may already be doing this or they may not be.  If they were not, examples might include providing the query used to generate a report or population or screenshots of the report parameters used to generate a standard system report.
    2. Vendor management and monitoring of subservice organizations—When evaluating third parties the practitioner and service organization should work together to clearly define vendors vs. subservice organizations. The service organization will also need to work with their service auditor to define and include complimentary subservice organization controls (CSOCs) in the report that are relevant to the control environment and map to the relevant control objectives.  These are important new considerations as potential opinion modification is possible if the subservice organization has a pervasive impact to the service organization’s control environment.
    3. Complementary user entity controls (CUECs)—Under the new SSAE No.18 requirements, complementary user entity controls should be limited to controls that are necessary to achieve the control objectives stated in management’s description of the service organization’s system.  This may have little or no impact to some service organizations but you may need to ensure all CUECs listed in their report are truly needed and relevant to the achievement of control objectives stated in the report.
    4. Internal Audit & Regulatory Examinations—Also outlined in SSAE No. 18, AICPA offers a new requirement for service organizations to read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement.

What other changes are coming for SOC reports?

The AICPA announced a new type of SOC report, called the SOC for Cybersecurity, in May of 2017. The road to a healthy, well-functioning cybersecurity risk management program for any organization is a long road and there are many steps along the way.  As organizations take that journey, the SOC for Cybersecurity report is designed to provide a mechanism for them to demonstrate the effectiveness of their cybersecurity risk management program to their stakeholders, which could likely include customers, shareholders, Board of Directors, and other relevant parties. While this new report is voluntary, many organizations are already exploring the possibility of obtaining a SOC for Cybersecurity to help them most effectively address the questions that they are regularly fielding from stakeholders. LBMC is currently preparing a separate blog article that will provide more insights about this new examination, so stay tuned.  While this new report is an example of how the AICPA is adapting to provide entities with new examination and reporting vehicles, as technology continues to advance, the SOC landscape will also continue to evolve.

At LBMC Information Security, our compliance and audit division is working to help our clients by incorporate the latest changes outlined by the AICPA to ensure compliance and build a strong and trusting relationship with their clients and regulators.

If you have questions about the latest SOC requirements or what your business can do to maintain compliance with the latest financial cybersecurity requirements, contact our team today to learn how we can help.