SOC 2 – Independence & Ethics (2022 SOC 2 Guide)
#cpa responsibilities around #independence and ethical requirements have been around a long time (and are applicable to SOC engagements). I’m not going to go into every aspect of the #aicpa Code of Professional Conduct (or specifically the “Independence Rule”), but I am going to discuss a few things the 2022 SOC 2 Guide updated/refined for independence related to SOC 2 engagements.
Here are some key things to remember:
1 - This is a complicated area. The AICPA released an FAQ on use of automated tools here. Be sure to read it for more detail!
2 - A common scenario I come across with this topic is pen testing and/or vulnerability scanning. Let’s look at an example:
- A CPA firm offers vulnerability scanning services in their portfolio.
- The client has the CPA firm perform an annual external vulnerability scan on their environment.
- The client performs their own internal quarterly vulnerability scans.
- CPA firm scan results are used by client management as information gathered for the larger, overall risk assessment (which in turn drives risk remediation and mitigation activities).
Because management is using the CPA firm scanning as information to help with their risk management, and they have their own quarterly scanning, the CPA firm is effectively providing management information, but it stops there. The CPA firm is not making management decisions, and the CPA firm scanning results (while useful) are not key to management meeting their objectives and controls for SOC 2 because management could still perform their risk & vulnerability assessments without that information.
Change a few things (even slightly) and this is a different outcome. If management has a control of "external scanning performed" for management's risk assessment activities (which means the CPA firm scanning is a key part of the client’s control environment), then the CPA firm becomes a subservice organization and independence is compromised.
Other things to note:
- If your client uses a subservice organization under the inclusive method, you would have to be independent of both the client and the subservice org.
- Make sure your firm policies & procedures address quality control, independence, and ethical standards. I recommend you also have a current list of your attest (SOC) clients as an attachment. Have your staff annually acknowledge those policies & procedures and current client listing to state they have read them and are independent of all clients.
- Keep in mind that you can reduce independence threats to an acceptable level through safeguards. This is where documentation and memos (in the engagement file) can be really helpful. A situation that raises the independence question might be OK, and you know why it's OK, but you should still document it to show peer review or anyone else that would need to see the file.
- The AICPA has a dedicated team for independence and ethics should you have any questions that you need answered! I call this whenever there is a situation I’m not sure of, and they are very helpful. Questions related to auditor independence should be directed to the Ethics Hotline at 1-888-777-7077 (select option 2, then 3) or [email protected].
Independence has been a hot topic in SOC 2, but still remains one of the biggest areas that CPAs must comply with to better service their clients and industry. This is a complex topic, and I only scratched the surface here. I highly recommend you look at the AICPA code of professional conduct, SQMS 1, QC 10, and other AICPA professional standards for more detailed information. Of course, if you have questions or want to discuss further, leave a comment or DM me!
Hey #cpafirms! ?? If you need outsourced help with establishing a SOC program, #peerreview (pre-review look or post-review remediation of findings or recommendations), EQCR, workpaper review, SOC-specific training, or anything else SOC-related, give me a shout! I’m happy to give back to the #CPA community and their firms, or anyone that needs additional information and guidance for the SOC space.
Cybersecurity enthusiast SOC 2 I HITRUST I CMMC I NIST I DFARS I ISO 27000 I HIPAA I CSA-STAR I ESG I STATERAMP I FEDRAMP I ISO 27701 I ISO 9001
1 年I believe Competence should also be a big Component the CPA providing oversight must have the qualifications to do so. I have seen cases where a CPA with zero experience or education signs reports...how someone can sign does not even understand.