AICPA Issues Exposure Draft for Service Organization Control (SOC) 1 Examinations

Risk Advisory/Internal Audit|SSAE 18/SOC

By Heather Haemer

On September 18, the AICPA issued an exposure draft for the proposed Statement on Standards for Attestation Engagements (SSAE)“Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: Clarification and Recodification.”  The proposed SSAE would supersede AT Section 801, Reporting on Controls at a Service Organization, of Statements on Standards for Attestation Engagements [AICPA, Professional Standards].  While the effective date has not been finalized, the earliest effective date being considered is for report periods ending on or after December 15, 2016.

The proposed changes to AT 801 have been drafted to align it with chapters 1-4 of the Auditing Standards Board’s most recent version of the exposure draft of “Attestation Standards: Clarification and Recodification,” to provide additional guidance and language from the most recent AICPA SOC 1 Guide and to provide clarity surrounding challenges and issues that auditors have encountered when conducting SOC examinations.  The exposure draft provides a summary of the proposed changes, highlights of which include:

  • Introduction of the term “complementary subservice organization controls”;
  • Revision of the definition of complementary user entity controls;
  • Requirements for service auditors with respect to the work of the internal audit function and regulatory examinations that relate to services provided by the service organization and the scope of the SOC examination;
  • Requirements for service auditors with respect to performing risk assessments;
  • Addition of application guidance relative to examples of information evaluated by service auditors and language that the service auditor may add to the description of tests of control effectiveness regarding verification of completeness and accuracy of information provided by the service organization.

The AICPA also released a mapping document with the exposure draft to summarize changes to the proposed standard and identify where language from the superseded standard resides within the proposed AT 801 and/or the clarified attestation standards.

Schneider Downs has a dedicated team of professionals in Pittsburgh, PA and Columbus, OH who provide SOC services. We invite you to learn more about our SOC services.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

 This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.