What’s New for SOC 1 Reports in 2023


Organizations who intend to issue a SOC 1 Report to their customers and business partners in 2023 should be well into planning now for changes in the guidance that impact service organizations and their auditors. This article highlights changes released in February 2023 by the American Institute of Certified Public Accountants (AICPA), who publishes the “rule-book” for SOC 1 Reports issued by auditors, “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting” (i.e., “the Audit Guide”).   Organizations may need to make changes to their controls and their system description from prior SOC 1 Reports as a result of this updated guidance.

KEY POINT: The Audit Guide changes are intended to help organizations better meet the information needs of their customers and business partners who use their SOC 1 Reports.  It will be well worth the effort to absorb and embrace this new guidance for 2023 reports, and organizations should start now.

As a reminder, SOC 2 guidance has also changed in the past year.  On December 13, 2022, AARC-360 published an article on changes that impact SOC 2s planned for issuance in 2023.  Following is a link to that article:

Critical Updates to SOC 2 Examinations: Impact on your 2023 Report – AARC-360

Clarified SOC 1 Guidance Regarding Description of the Service Organization’s System

The System Description section of the SOC 1 is typically the longest section of the report.  Judgment is required regarding the level of detail included.  The Audit Guide includes several useful elements of guidance:

KEY POINT: To protect your organization from inadvertently weakening your cybersecurity posture do not disclose in the SOC 1 System Description details about password configuration rules or other aspects of the IT environment that would assist a threat actor in penetrating your systems.

KEY POINT:  Audit Guide clarifies system description requirements when a service organization outsources aspects of its technology infrastructure to a subservice organization (e.g., a cloud provider).   The SOC 1 Report from the technology subservice organization might include a CUEC that the service organization should address in its system description.  For example, the technology provider’s SOC 1 might have a CUEC requiring users to have controls to restrict privileged access to system resources.  In that case, the service organization would have a control in the report such as: “on a periodic basis, management reviews a list of service organization personnel with access to the technology subservice provider’s system to determine the access is appropriate”.

Determining Whether an Organization That Provides Services to a Service Organization is a reporting “Subservice Organization”

In recent years, SOC reporting guidance has continued to enhance disclosures required for service providers to a service organization.  These enhancements are consistent with the general trend towards outsourcing services prevalent in today’s business environment.  The Audit Guide updates include:

KEY POINT:  Whether a service provider is a reportable subservice organization depends on the combination of the service provided and the controls maintained at the service organization to control the service provided. An example provided in the Audit Guide is a report printing and mailing service provider which could be a relevant subservice organization when the information provided by the report printer is directly incorporated into information that is presented to the user entity and then used in that entities’ financial statements.  However, a contrasting example in the Guide is a service organization that maintains internal controls over the completeness and accuracy of the reports provided by the report printing provider, and in that example the report printer would not be a reportable subservice organization.

Guidance for SOC 1 Auditors on the Procedures they Perform

The Audit Guide includes clarifications and examples to help the auditor determine what procedures they should be performing as they conduct the examination:

KEY POINT:  Service organizations should ensure that commonly provided ‘populations’ provided to auditors are complete and accurate.  Examples include lists of employees who are added or removed from systems during the examination period, or list of application changes migrated to production during the period. Guidance is clarified that the auditor cannot rely on IT general controls alone to determine the information is reliable.  Such listings provided to auditors need to be observed as they are generated and tested to ensure they appropriately represent the population.

What Do Clients of AARC-360 Need to Do Now?

Contact your AARC-360 Team to understand how the new SOC 1 guidance specifically relates to your organization.

 We will work with you to:

Authored By
Bernie Wedge (Advisory Board Member, AARC-360)