What is AT-C 320 in a SOC 1 Engagement?

AT-C Section 320 is a professional standard from the American Institute of Certified Public Accountants (AICPA) that guides certified public accountants (CPAs) in creating a System and Organization Controls (SOC) 1 report. The report offers an independent opinion on a service organization’s controls that can affect the financial reporting of companies using its services.

Formally titled “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting,” this standard is part of the broader Statement on Standards for Attestation Engagements (SSAE) No. 18. This framework replaced the older SAS 70 standard. The SOC 1 report is designed for the management of the user company and its financial statement auditors to evaluate risks from outsourced functions.

The Core Components of a SOC 1 Engagement

The Service Organization

A service organization provides outsourced services to other businesses that are relevant to their financial reporting. Common examples include third-party payroll processors, data hosting providers, or companies that manage financial applications. The service organization is responsible for designing, implementing, and maintaining controls over the services it provides.

The User Entity

The user entity is the company that outsources business functions to the service organization. For instance, a manufacturing company that hires an outside firm to process its payroll is a user entity. Its management and financial statement auditors rely on the SOC 1 report because the service organization’s controls impact the user entity’s own internal control over financial reporting.

The Service Auditor

The service auditor is the independent CPA firm engaged by the service organization to perform the SOC 1 examination. The auditor must be independent of both the service organization and its user entities. The service auditor conducts the examination following AT-C 320 guidelines and issues an opinion on the system’s description and the design of its controls.

The “System”

The “system” in a SOC 1 engagement is the specific set of services, processes, policies, personnel, and IT infrastructure being examined. The scope is limited to the system that provides services to user entities, not an audit of the service organization’s own financial statements. The service organization’s management is responsible for providing a detailed written description of this system as part of the examination.

Management’s Assertion

The service auditor must receive a written assertion from the service organization’s management before the examination. This formal statement confirms the system’s description is presented fairly and its controls are suitably designed to meet control objectives. For certain reports, the assertion also covers the operating effectiveness of those controls.

Differentiating Type 1 and Type 2 Reports

A SOC 1 engagement under AT-C 320 results in either a Type 1 or a Type 2 report, with the main difference being the timeframe and depth of testing.

A Type 1 report focuses on a specific point in time. The service auditor evaluates and opines on the design of the controls as of a particular date, for example, June 30, 2024. This report confirms that the description of the system is accurate and the controls are designed appropriately, but it provides no assurance that these controls operated effectively.

A Type 2 report covers a period of time, usually between six and twelve months. It includes all elements of a Type 1 report, but the service auditor also tests the operating effectiveness of the controls throughout the specified review period. This provides a much higher level of assurance to the user entity and its auditors.

Because a Type 2 report includes testing of controls in operation, it is generally preferred by user entities and their auditors. It offers evidence that the controls not only were designed well but also functioned as intended over time. This information is valuable for the user entity’s auditor when assessing risk and may reduce the amount of direct testing they need to perform.

The Service Auditor’s Examination Process

The examination process begins with planning, where the service auditor gains a thorough understanding of the service organization’s system. The auditor identifies risks relevant to user entities’ financial reporting and determines the engagement’s scope. This includes identifying the specific control objectives and related controls that will be examined.

The service auditor then performs the examination procedures. For a Type 1 report, procedures focus on verifying the design of controls as of a specific date, which may involve inquiry of personnel, inspection of system documentation, and observation of processes.

For a Type 2 report, procedures are more extensive to test the operating effectiveness of controls over a period. The auditor selects a sample of transactions or events and tests the application of the controls. This can involve re-performing a control, inspecting evidence of its operation like system logs or signed approvals, and observing the control being performed.

After testing, the auditor evaluates the evidence gathered. The auditor assesses whether the system description is fairly presented and if the controls were suitably designed. For a Type 2 report, the auditor also concludes on their operating effectiveness. Any control failures, known as exceptions, are documented and considered when forming the final opinion.

Understanding the Service Auditor’s Report

The final deliverable is the service auditor’s report, a formal document containing several sections. The most prominent is the service auditor’s opinion. An “unqualified” opinion indicates the auditor concluded the service organization’s description of its system is fair and the controls are suitably designed (and operating effectively for a Type 2). A “qualified” or “adverse” opinion is issued if significant issues were identified.

The report also includes the written assertion from the service organization’s management. Including this assertion directly in the report provides transparency and confirms management’s responsibility for the system and its controls. A significant portion of the report is the detailed description of the system, prepared by management, which explains the services, processes, and control environment.

For a Type 2 report, a section describes the service auditor’s tests of controls and the results. This provides user entities and their auditors with insight into the testing performed. It lists the specific controls tested, the testing procedures used, and any exceptions found, which is important information for the user entity’s own risk assessment and audit processes.