When it comes to SOC 2 reporting, one of the most important aspects is something that you may never have seen or have considered when it comes to your CPA firm. Peer review. Peer review is what makes sure the CPA firm has its own policies and procedures in place to produce quality engagements that follow the rules for issuing SOC 2 reports. While CPA firms that don’t receive a “clean” peer review report can still practice, you should tread lightly.
Peer review is a program that registered CPA firms are required to enroll in when they issue attestation or examination engagements (SOC 2). Once every 3 years, a CPA firm will be peer-reviewed by another CPA firm for its quality control (QC) system as well as the work they performed on specific engagements (selected by sampling). This is done in order to determine that the firm’s QC is adequate, they are complying with that system, and that the engagements are being performed in accordance with the applicable standards. During a peer review, the reviewing firm will ask questions, examine policies and procedures, and review engagement work papers in order to reach conclusions about the peer review.
When a CPA firm receives a report from the peer reviewer with a peer review rating of pass, the report means that the system is appropriately designed and being complied with by the CPA firm.
If a CPA firm receives a report with a peer review rating of pass with deficiencies, this means the system is designed and being complied with appropriately by the CPA firm in all material respects, except in certain situations that are explained in detail in the peer review report. When a firm receives a report with a peer review rating of fail, the peer reviewer has determined that the firm’s system is not suitably designed or being complied with, and the reasons why are explained in detail in the report.
Peer review helps to monitor a CPA firm’s accounting and auditing practice (practice monitoring). The goal of the practice monitoring, and the program itself, is to promote and enhance quality in the services provided by the CPA firm. This goal serves the public interest and enhances audit quality for SOC 2 reports.
So now that you know about peer review, what do you do? It’s easy. You can request to see a CPA firm’s peer review report. Read it, and see what type of report they got (pass, pass with deficiencies, or fail), and then it’s up to you to decide.
Keep in mind that peer review happens once every 3 years for a CPA firm, and it takes a while for a peer review to be completed. So, if you see a peer review report from 2 years ago, it’s still current. Even one that is over 3 years ago might be current, as the CPA firm is currently undergoing their review and awaiting their new report.
Just talk to your CPA if the dates seem off.