As demand grows for SOC 2 reports and the market for GRC compliance tools expands, the AICPA is reminding companies and providers about the importance of auditor independence in delivering audit and nonattest services, as well as the risks of an audit provider reviewing its own work.
The new guidance comes after market changes in which some SOC 2 readiness and audit firms are developing offerings and tools that blur sector lines by offering services traditionally done by the other type of provider. In late 2022, the most recent changes to the AICPA’s SOC 2 Guide placed a heavy emphasis on the concepts of independence and “nonattest” services in response to how much the SOC 2 industry has changed over the last several years.
Surge in Demand for SOC 2 Reports and the Rise of the SOC 2 Readiness Industry
During the last several years, SOC 2 has exploded in popularity. Combining the trends in cloud computing and outsourcing, and the significant emphasis on vendor risk management, has led to a perfect confluence driving exponential growth in SOC 2 demand.
This surge has spurred a whole new SOC 2 readiness industry. Numerous GRC platforms and SOC 2 readiness tools are rushing to market, some backed by major venture and private equity investors seeking to take advantage of this mini-goldrush.
Because they have tremendous amounts to spend on marketing, many of the SOC 2 readiness platforms and GRC providers act as a funnel for the numerous companies that need SOC 2 reports and are referred to CPA firms to conduct audits and issue the reports.
A Focus on Independence
A pillar of the AICPA standards for audit and attestation engagements is that a CPA should be “independent” of the entity they are auditing or providing attestation services to. For example, the CPA should not have financial or other interests in their clients.
The AICPA also focuses on the important concept that CPAs should not audit their own work. In the context of SOC 2, this would mean an auditor should not implement controls, take management responsibility, or insert themselves as a decision-maker in the design and operations of a system. This makes sense as objectivity and independence are central to the ultimate value of the SOC 2 opinion.
Nonattest Services
As noted above, the SOC 2 readiness industry, which would meet the definition of a nonattest service, has been a huge money-maker. But if you look at the total opportunity, readiness is only one part of what is charged to the customer, with the audit firm getting the other portion for executing the audit and providing the audit opinion.
Some readiness platforms have seen this and have spun up their own audit firms. At the same time, some CPA firms have seen explosive growth on the readiness side and, looking to take advantage of demand, are creating readiness tools and GRC implementations to drive revenue.
Other nonattest services that need to be considered include penetration testing, vulnerability management, and incident response. All of those services are central to the control environment, and thus represent a threat to independence if such services are delivered by the same entity responsible for auditing the client’s environment.
AICPA’s Guidance for Auditor Independence
The recently updated SOC 2 Guide is the primary guidance provided by the AICPA defining SOC 2, and built up the AICPA audit and attest standards including professional conduct for CPAs. In reference to SOC 2, the AICPA has established Statements on Standards for Attestation Engagements (SSAE) that specify how the CPA should engage with their clients, perform their work, and handle client interactions effectively.
At the end of the day, the new AICPA guidance is a re-emphasis on independence and specifically focuses on the threats to independence created by nonattest services. This is especially true for auditors reviewing their own work, which is a real risk if the auditor is also providing readiness services.
The AICPA is not an enforcement agency; however, they have made it clear that they see the proliferation of services that are central to the system being threats to auditor independence if they are provided by the CPA firm. We fully grasp this concept, and believe it is central to the objective insights and value that we provide. Contact us for your SOC 2 readiness and audit needs while ensuring auditor independence.
