In September 2020, the AICPA Auditing Standards Board issued Statement on Standards for Attestation Engagements (SSAE) No. 21, Direct Examination Engagements. SSAE No. 21 is applicable to SOC 2 audits, however, the changes brought about by SSAE No. 21 consist primarily of new terminology and the clarification of certain concepts. There are no substantive changes to SOC 2 reports and the underlying SOC 2 audits as a result of SSAE No. 21.
SSAE No. 21 adds a new AT-C section (designated as AT-C section 206, Direct Examination Engagements) to the attestation standards, amends AT-C section 105, Concepts Common to All Attestation Engagements, and supersedes AT-C section 205, Examination Engagements. SSAE No. 21 is effective for reports dated on or after June 15, 2022.
SSAE No. 21 does not apply to SOC 1 audits, which will continue to be performed pursuant to SSAE No. 18 / AT-C 320, Reporting on an Examination of Controls at a Service Organization Relevant to Entities’ Internal Control Over Financial Reporting.
Summary of Changes Introduced by SSAE No. 21
AT-C section 105
AT-C section 105 introduces and defines the terms underlying subject matter (the phenomenon that is measured or evaluated by applying criteria) and subject matter information (the outcome of the measurement or evaluation of the underlying subject matter against the criteria) to conform with the terminology in ISAE 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information. Using these terms, rather than the single term subject matter, clarifies that in an examination engagement a party other than the CPA firm is responsible for the underlying subject matter and the CPA firm is required to be independent of the underlying subject matter.
AT-C section 105 also introduces and defines the terms direct examination engagement and assertion-based examination engagement.
AT-C section 205
This section applies directly to SOC 2 examinations. AT-C section 205 supersedes the same numbered version that appears in SSAE No. 18 and changes the title of that section from Examination Engagements to Assertion-Based Examination Engagements, to differentiate it from AT-C section 206. The prior (under SSAE No. 18) and new (under SSAE No. 21) versions of the section are substantially the same, including the requirement for the auditor to request a written assertion from the responsible party. AT-C section 205 adds a statement to the examination report indicating that the auditor is required to be independent and to meet the firm’s other ethical responsibilities in accordance with relevant ethical requirements.
AT-C section 206
AT-C section 206 gives CPA firms / auditors the ability to measure or evaluate underlying subject matter against criteria and provide an examination opinion that conveys the results of that measurement or evaluation without another party responsible for the underlying subject matter having first measured or evaluated the subject matter. This enables CPA firms to report on new and emerging nonfinancial subject matters for entities that may not have the expertise in-house to measure or evaluate a complex, emerging subject matter. It enables entities to undergo an examination engagement without providing an assertion about whether the underlying subject matter is in accordance with criteria. The entity is always required to acknowledge its responsibility for the underlying subject matter, but does not provide an assertion such as the one that appears in a SOC 2 report. This section is not applicable to SOC 2 audits.
In summary, SSAE No. 21 creates a new type of direct examination engagement and introduces new terminology, but has no significant impact on SOC 2 examinations.