CPA Exam Changes: SOC Reports
Welcome to the third blog in our series highlighting three of the big changes coming to the CPA Exam. In our first piece, we talked about developing “a digital and data-driven mindset” and the associated data-focused changes to the exam. And, in the second, we discussed the increased focus on technology and business processes and the related exam changes.
For this blog, we’ll be examining SOC Reports and their impact on the AUD and BEC sections of the CPA Exam. But first, let’s take a step back and review why the CPA Exam is changing in the first place—and how SOC Reports fit in.
The changes to the CPA Exam generally focus on data, technology and business processes. The AICPA feels that it is important for newly licensed CPAs (nlCPAs) to not only be able to make the proper calculations, but to “understand the flow of transactions within business processes and information systems.”
This is due to technical advancements that have increased CPAs’ role as technology and process advisors. According to the AICPA, this means that CPAs should, at a minimum, “have an understanding of data, including where and how it may be accessed and be able to converse with clients about data and its potential use.”
Many companies use third-parties or third-party systems, also known as service organizations, to process some part of their accounting transactions. So where do SOC Reports fit in?
SOC Reports, aka System and Organization Controls (SOC) is a suite of reports a CPA may provide in connection with auditing controls at a service organization. When a SOC report is issued, it verifies to stakeholders that the service organization has a system of controls in place and provides insight on the auditor’s assessment of the controls. The scope of the SOC report may include an audit of controls relevant to financial reporting (SOC 1®) or it may focus on addressing technology and data issues like security, availability, processing integrity, confidentiality and privacy (SOC 2®). As more and more businesses outsource their processes to outside organizations, using SOC reports to evaluate these third-party partners and the related impact to their client’s system of controls is an essential skill for the modern CPA.
Because of the nature of SOC reporting, it’s easy to see how these reports fit into the AICPA’s larger objectives of adding increased data, technology, and business process content to the CPA Exam, especially on the AUD and BEC sections. Let’s turn to the exam itself and review what new information you need to know about SOC Reports across the revised AUD and BEC sections. Overall, the two sections will cover information related to the increased reliance on SOC reports in the modern accounting landscape.
The AUD section of the exam will now cover the following topics related to SOC Reports:
- Differences between SOC 1® and SOC 2® report types
- Understanding the impact of using a SOC 1® Type 2 report in an audit
- Using a SOC 1® Type 2 report to determine the nature, extent and timing of procedures to be performed in an audit
Let’s briefly review each of these topics.
SOC 1® Reports are used to report on controls at a service organization that are relevant to the internal control over financial reporting of the outsourcing company (user entity). SOC 2® Reports also report on the service organization’s internal controls, but the focus is on controls related to operations and compliance. SOC 2® reports focus on controls over one or more of the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy. Both SOC 1® and SOC 2® reports can be issued over the design and implementation of the controls (Type 1 report) or include the design, implementation, and operating effectiveness of the controls (Type 2 report). CPA candidates should be able to demonstrate an understanding of the various SOC report types and determine the appropriate use for each.
In today’s data-driven world, SOC Reports are an essential tool to understand. Obtaining a SOC 1® Type 2 report related to the internal controls at a service organization can be an effective step for both management and the auditor of the user entity in assessing the impact of the service organization’s controls on the controls of the company.
If the SOC 1® Type 2 Report reveals issues or concerns, the user entity and its auditor will need to dedicate time and resources to addressing the issues and assessing the impact to the overall audit. A clean opinion on a SOC 1® Type 2 Report can enhance customer trust and reduce further burden on the user entities and their auditors. nlCPAs should be able to clearly understand the role of a SOC 1® Type 2 report within the context of an audit and assess the impact the report may have on the related audit plan.
Using a SOC 1® Type 2 report to determine the nature and extent of testing procedures performed in an audit
Depending on the nature and extent of the services provided by an organization, a SOC 1® Type 2 report can have a significant impact on the audit of the user entity. When a SOC 1® Type 2 report is obtained and the auditor of the user entity is satisfied regarding the competence and relevance of the report, it may be used as evidence to reduce the assessed level of control risk for the areas of the company affected by the service organization.
This assessment may impact the design and nature of the related audit procedures. nlCPAs should be familiar with criteria used to assess the competence and relevance of the SOC 1® Type 2 report.
For the BEC section of the exam, you’ll need to understand these key topics:
- Identifying the appropriate SOC report to meet a user entity’s needs
- Reviewing SOC reports to obtain information such as period covered, modifications, and complementary user entity controls
- Using SOC reports to understand risks and other considerations with cloud computing and IT outsourcing arrangements
It’s critical that nlCPAs be able to choose the appropriate SOC report type for specific situations. Moreover, CPAs need to understand how to read the reports and identify and interpret key pieces of information, as nlCPAs will encounter these types of reports more often as companies continue to shift towards outsourcing data and IT-related processes. SOC reports play a major part in assessing the impact of outsourcing on business processes and controls, especially in the technology-centric 21st century landscape, so it’s imperative to know these topics inside and out.
Becker is here to help you understand SOC Reports, data, technology, business processes and everything else you need to know for the CPA Exam.
You can do this. And Becker is here to support you, every step of the way.