Do we need a CPA firm for SOC Attestation?

Published on : 11 Mar 2021


CPA Firm For SOC Attestation

Emerging technology and growing trends of outsourcing critical business operations to third-parties have greatly exposed businesses to Cyber Security threats and Compliance Risks. With this, global regulatory bodies have started placing great emphasis on Cyber Security and Compliance for businesses. The AICPA Attestation Standards require CPA firms to enter the Cyber Security space for auditing and helping businesses establish strong and effective internal controls over financial and non-financial reporting of Service Organizations.

Having said that, in today’s article we have explained why a Service Organization needs a CPA firm for SOC Attestation. The article explains the role of a CPA firm in the SOC Audit and Attestation process of a Service Organization. So, before getting into the details, let us first start by understanding who is a CPA. 

Who is a CPA?

In the AICPA’s attestation standards, a CPA is a Certified Public Accountant who is qualified to perform an audit and attestation for Service Organizations on their internal controls over financial and non-financial reporting based on their SOC1 or SOC2 requirement.

The CPA examines and reports on controls at Service Organization related to various controls that affect user entities’ financial reporting or controls that affect the Security, Availability, and Processing Integrity of the systems and the Confidentiality and Privacy of the information processed for user entities’ customers. 

Why do we need a CPA firm for SOC Attestation?  

A SOC audit and attestation can only be performed by an independent CPA (Certified Public Accountant) as per the AICPA SOC Audit Attestation norms. The SOC auditors are regulated by the AICPA and must adhere to the specific professional standards established by, the AICPA.

They must follow specific guidelines related to planning, executing, and supervising audit procedures and must also ensure their audits are conducted in accordance with accepted auditing standards. So, CPA firms are qualified to help Service Organizations face the evolving Cyber Security and Compliance challenges through SOC examinations. The audit conducted and the attestation offered is a source of credibility and trust for clients and stakeholders of Service Organizations. 

SOC Audits performed as per the AICPA attestation standards allow CPA firms to render an opinion on the design and operational effectiveness of internal controls and the presentation of management’s description of the examined system.

The attestation received from the CPA firm post the audit permits the Service Organization to demonstrate their compliance with standards to their clients. The audit conducted evaluates against varied risks both financial and non-financial providing reasonable assurance and their opinion over the Service Organizations security posture against the growing risks. 

Role of a CPA in a SOC1 or SOC2 Audit Report

As mentioned early, SOC Audit can only be performed by an independent Certified Public Accountant (CPA). Further, the SOC Audit Reports can only be completed by a CPA firm that specializes in auditing IT business process controls. SOC reports are attestation reports in which the CPA provides an opinion on whether it agrees with management’s assertion on having in place necessary controls that meet the objective of the SOC Attestation Standard.

The CPA firm’s opinion may either be unqualified or qualified based on whether Service Organization’s controls meet the relevant control objectives as stated in their management assertion.  

SOC 1 and SOC 2 audit reports feature four main sections that users of the report will need to look at for their consideration. This would include

  • Management’s Assertion
  • Description of Services
  • Auditor’s Opinion
  • Results of Testing

The most crucial part of the report is the point at which the auditor provides his/her opinion on the Management’s Assertion with the description of services and results of the audit. A non-qualified CPA firm cannot provide an opinion on this. Only a qualified and independent CPA firm can perform a SOC Audit and Attestation.

The CPA must comply with all the updated SOC audit and attestation standards as established by the AICPA. The CPA or the auditor performing the must have the technical expertise, training, and certification to perform such audits. Since SOC2 is a very tech savvy standard, it is advisable to have on board a qualified CPA having additional certifications such as CISA, CISSP, etc or the auditor should preferably have InfoSec expert supporting him for the audit and report drafting.

Engaging with any other firms or Auditors other than the qualified CPA firm will render the report void, and the CPA can get reported to AICPA and even loose his license. However, a CPA firm may employ a non-CPA professional with relevant information technology and security skills to participate in preparing for a SOC audit, but the final report must be provided and issued by only a qualified CPA. 

Consequences of performing SOC Attestation by a Non-CPA firm

Any Service Organization having performed a SOC 1 or SOC 2 audit by a non-qualified CPA firm will be considered illegal and invalid. Further, they will have to perform the audit again for each period in which there was unwarranted reliance. AICPA provides a clear guide on the eligibility of a CPA firm as mentioned in some of the points given below- 

  • Auditor should not assume responsibility for the predecessor auditor’s work or issue a report that reflects divided responsibility” (AICPA, AU315.16).
  • “The independent auditor also has a responsibility to his profession, the responsibility to comply with the standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics, and licensing requirements.
  • “No person, partnership, professional corporation, or limited liability company shall, without an active certificate of a certified public accountant or a valid registration: Attest or express an opinion, as an independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
  • “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA, AT101.42).
  • “Attest services may only be rendered through firms holding permits from the state” they are performing attest services. (Uniform Accountancy Act, Section 7).

Final thought

Service Organizations seeking SOC1 OR SOC2 Attestation must perform an audit by a qualified CPA firm to receive a valid attestation. There is no shortcut or a way around this other than following the standard attestation guidelines and requirements set by the AICPA. Non-compliance to this will not just leave you with a tarnished reputation in the market and loss of client’s trust in you, but also loss of business.  We highly recommend you to visit the official AICPA website to learn more about qualified CPA firms before you approach one for your SOC1 or SOC2 Audit and Attestation. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.