What’s New for SOC 1 Reports in 2023
Overview
KEY POINT: The Audit Guide changes are intended to help organizations better meet the information needs of their customers and business partners who use their SOC 1 Reports. It will be well worth the effort to absorb and embrace this new guidance for 2023 reports, and organizations should start now.
As a reminder, SOC 2 guidance has also changed in the past year. On December 13, 2022, AARC-360 published an article on changes that impact SOC 2s planned for issuance in 2023. Following is a link to that article:
Critical Updates to SOC 2 Examinations: Impact on your 2023 Report – AARC-360
Clarified SOC 1 Guidance Regarding Description of the Service Organization’s System
The System Description section of the SOC 1 is typically the longest section of the report. Judgment is required regarding the level of detail included. The Audit Guide includes several useful elements of guidance:
- System Description level of detail is intended to fulfill what the user auditor would need if the user entity were performing the outsourced service itself. However, the description does not need to be in such detail to compromise the service organization’s information security.
KEY POINT: To protect your organization from inadvertently weakening your cybersecurity posture do not disclose in the SOC 1 System Description details about password configuration rules or other aspects of the IT environment that would assist a threat actor in penetrating your systems.
- System Description should generally include key outputs the service organization produces that are regularly provided to the user entity, such as reports or files. This list of reports/files may be in the description or in an Appendix.
- Complementary User Entity Controls (CUECs) and Complementary Subservice Organization Controls (CSOCs) – level of detail regarding CUECs and CSOCs vary in practice. The Audit Guide includes several examples of both CUECs and CSOCs, options for where these topics can appear in the report, and that often varies user auditor preference for broadly written control objectives with many CUECs
KEY POINT: Audit Guide clarifies system description requirements when a service organization outsources aspects of its technology infrastructure to a subservice organization (e.g., a cloud provider). The SOC 1 Report from the technology subservice organization might include a CUEC that the service organization should address in its system description. For example, the technology provider’s SOC 1 might have a CUEC requiring users to have controls to restrict privileged access to system resources. In that case, the service organization would have a control in the report such as: “on a periodic basis, management reviews a list of service organization personnel with access to the technology subservice provider’s system to determine the access is appropriate”.
- Management is responsible for preparing the system description. The Audit Guide clarifies this further by revising the suggested title of the description as follows:
- Management Description of XYZ Service Organization's Description of Its [Name of System]
Determining Whether an Organization That Provides Services to a Service Organization is a reporting “Subservice Organization”
In recent years, SOC reporting guidance has continued to enhance disclosures required for service providers to a service organization. These enhancements are consistent with the general trend towards outsourcing services prevalent in today’s business environment. The Audit Guide updates include:
- Removing the term “vendor” from the discussion of whether a service provider is a subservice organization. A service provider either is or is not a subservice organization and there is no need to use the term “vendor” for a service provider that is not a subservice organization.
- Inclusion of a table of eight commonly encountered service provider types, a discussion of factors to consider as to whether the service provided is “relevant” to user entities internal control, and a conclusion of whether in that instance the service provider would be a reportable “subservice organization”.
KEY POINT: Whether a service provider is a reportable subservice organization depends on the combination of the service provided and the controls maintained at the service organization to control the service provided. An example provided in the Audit Guide is a report printing and mailing service provider which could be a relevant subservice organization when the information provided by the report printer is directly incorporated into information that is presented to the user entity and then used in that entities’ financial statements. However, a contrasting example in the Guide is a service organization that maintains internal controls over the completeness and accuracy of the reports provided by the report printing provider, and in that example the report printer would not be a reportable subservice organization.
- Clarification that the System Description regarding subservice organizations should address the controls in place to monitor the effectiveness of the controls at the subservice organization, regardless of whether the ‘carve-out’ or the ‘inclusive’ method of reporting is used by the service auditor.
- Clarification that ‘monitoring’ controls over a subservice organization may include a combination of ongoing monitoring to determine issues are identified timely (e.g., regular reporting from the service provider) and separate reports showing controls were effective over time (e.g., SOC report from the service provider).
Guidance for SOC 1 Auditors on the Procedures they Perform
The Audit Guide includes clarifications and examples to help the auditor determine what procedures they should be performing as they conduct the examination:
- Information provided by the service organization for the examination – service auditors are required to evaluate whether information presented by the client during the examination is sufficiently reliable. The Audit Guide provides examples and questions to ask that are useful to the auditor and the service organization in the evaluation of the completeness and accuracy of such information.
KEY POINT: Service organizations should ensure that commonly provided ‘populations’ provided to auditors are complete and accurate. Examples include lists of employees who are added or removed from systems during the examination period, or list of application changes migrated to production during the period. Guidance is clarified that the auditor cannot rely on IT general controls alone to determine the information is reliable. Such listings provided to auditors need to be observed as they are generated and tested to ensure they appropriately represent the population.
- Auditors are encouraged to attach a listing of reported deviations to the Letter of Representations signed by Management to ensure there is communication and acknowledgement of those deviations to Management.
- Auditors should ask service organizations about the scope of 3rd party assessments and Internal Audit and Internal Risk Management functions and reviewing relevant assessments from those Internal Audit/Risk functions.
What Do Clients of AARC-360 Need to Do Now?
Contact your AARC-360 Team to understand how the new SOC 1 guidance specifically relates to your organization.
We will work with you to:
- Understand changes needed to your system description
- Review your outsourced service providers to ensure proper treatment of these providers as subservice organizations (or not)
- Explain how AARC-360’s examination procedures may change in 2023
Bernie Wedge (Advisory Board Member, AARC-360)
