Who Will be Held Responsible for SOC1 Reports that Should Have Been SOC2 Reports?

The recently released AICPA Technical Practice Aid TIS Section 9530 includes the following question on page 7.

This question was most certainly asked by a Service Auditor that found themselves in the precarious position of trying to explain to their client that they really need a SOC 2 report, but were met with resistance because the Service Organization was told by their client to provide a SOC1 (aka SSAE16) report.

If you read the AICPA's answer, it essentially says that it is Management's responsibility, but the Service Auditor can help them if they do not understand the difference.  What a relief.  It is Management's responsibility.

What if Management chooses the wrong report despite help from the Service Auditor?  Will Service Auditors be held responsible for following the attestation standards even when a SOC1 is not applicable? Is there really no wrong answer?

So far I have reviewed SOC1 reports, issued by two separate big 4 CPA firms, that should have been SOC2 reports because they were primarily comprised of non-ICFR controls. See my post on Non-ICFR Controls in an Actual SSAE16.  So will Management be held responsible for inclusions of non-ICFR controls in SOC1 reports

Of course not, the Service Auditor will be because including non-ICFR controls in a SOC1 violates the attestation standard.  In fact, service auditors attest to following these standards in every report they sign:

So who is going to hold Service Auditors accountable?  Meet Jim Brackens, AICPA VP of Ethics and Practice Quality.

Jim oversees the AICPA Peer Review Program and is currently looking for CPA firms that are competent to do peer reviews of SOC reports.  There is a task force that is currently reviewing the SOC Report Checklist, and they are welcoming feedback on strengthening the language so that it is clear what a non-ICFR control is.  I have provided feedback to them, and I would love to pass yours along.

The peer review manual lists the reasons why peer review exists, and why CPA firms must undergo what is essentially an audit of the auditor, but basically the process is there to ensure that CPA firms follow standards issued by the AICPA.  I am excited about the upcoming year and have confidence that SOC reports will not share the fate of SAS70 reports.


  1. Thank you for the post Jon. Coordinating two SOC 1's for 2011 and looking at two SOC 2's as well as assisting a third, (who may also be doing a SOC 1 for 2012), the discussion on whether SOC 1 or SOC 2 will be appropriate has been on my plate for a few months. It is definitely a difficult thing for some in the organization to swallow due to the amount and scope/depth of control activities which will be required in SOC 2. It is even more difficult when different auditing firms provide differing answers on the applicability and necessity of changing to SOC 2. SOC 2 for the Managed Services/Colocation industry is appearing to be closer to the Sales/Marketing side on comparing service providers, while SOC 1 is the report customers' auditors will be looking for.

  2. Aaron, I feel for you and your predicament. You can use the approach I laid out in my post titled: "Examples of Non-ICFR Controls in an Actual SSAE16" to explain it to them that you do not have a choice as an auditor. Don't worry about the other auditing firms. They will be discredited when you lay out the facts.