EVALUATING ETHICS AND INDEPENDENCE IN SOC REPORT EXAMINATIONS

OUR APPROACH

EVALUATING ETHICS AND INDEPENDENCE in SOC REPORT examinations

As organizations adopt GRC platforms to support their compliance programs, questions around independence performing SOC report examinations have become more prominent.

These platforms play an important role in organizing evidence and streamlining preparation. At the same time, organizations should consider how their use intersects with the SOC reporting process and whether auditor independence is preserved throughout the examination.

At 360 Advanced, our approach is designed to maintain objectivity in environments where a wide range of platforms are in use. 

ethics-image

Our Approach to SOC Report Examinations involving GRC Platforms 

360 Advanced maintains a consistent, platform-neutral approach across SOC report examinations: 

Platform-agnostic execution. We work within a variety of clients and GRC environments without reliance on or alignment to any specific platform, including clients without a GRC platform. We maintain an independent, adaptable examination approach regardless of tools utilized. 

Independent audit judgment. All decisions related to examination fees, scope, timing, evidence, and conclusions are determined by the examination team based on professional judgement. We do not permit any GRC platform to sell SOC report examinations on our behalf (commonly referred to as platform/engagement bundles). 

No concentration within a single ecosystem. 
Our client base spans a broad set of tools and approaches, reducing the potential for external influence tied to any one provider.  

Evidence-driven methodology. The presence of a GRC platform does not replace examination procedures. Evidence is evaluated independently, regardless of how it is collected or organized. 

ethics-in-soc-exams

What Organizations Should Consider

When evaluating a provider to perform your SOC report examination in a platform-driven environment, organizations should consider: 

  • Whether the service auditor firm operates across multiple GRC platforms versus concentrating on a single or handful of GRC platforms 
  • How independence is maintained when platforms are part of the examinations  
  • Whether examination decisions are influenced by external relationships or constraints  
  • How evidence is evaluated beyond the structure of a GRC platform  

A SOC report examination must reflect independent, objective validation with the underlying platform supporting the process rather than shaping it. 

360 Advanced Response to Key Considerations

The following reflects 360 Advanced’s approach to maintaining independence and objectivity in SOC report examinations where GRC platforms are part of the environment as identified in the AICPA Ethics Staff Insights article.

Responsible Party Considerations

The responsible party is simply defined by the AICPA as the party responsible for the subject matter. We only consider management of the service organization to be the responsible party as they are ultimately responsible for measuring and evaluating the underlying subject matter against the criteria and providing the written assertion and management representations. 

Network Firm Considerations 

We operate independently from GRC platforms and do not integrate them into our firm structure.

Ethical Conflicts

We do not enter into arrangements that could influence professional judgment or create either a perceived or actual conflict with our professional responsibilities during the examination process.

Undue Influence Threat and Related Safeguards 

May arise when an arrangement could cause the service auditor to give preference to a GRC platform’s interests or influence, rather than exercising independent professional judgment. READ MORE >

Platform Independence

Our platform-agnostic approach reduces the potential for external influence on audit decisions and avoids reliance on any single GRC platform as a source of client referrals. This approach preserves objectivity and ensures our professional judgments remain independent of any platform referrals.

Cross-Referrals

We do not structure our business around any exclusive or concentrated platform relationships which reduces the risk of cross-selling incentives.

Tool Provider Involvement in the SOC Examination 

Third-party tool providers do not participate in nor influence examination procedures. 

Timing and Deadlines

Examination timelines are independently determined by 360 Advanced based on scope, risk, evidence requirements, and client expectations only. Tool providers have no ability to influence timing considerations determined by 360 Advanced.

Bundled Services 

Examination fees are determined independently by 360 Advanced and are not packaged nor priced as part of broader platform-driven offerings. No platform is authorized to sell examinations on behalf of 360 Advanced.

Self-Interest Threat and Related Safeguards

May arise when fee arrangements, referral incentives, revenue-sharing, or other benefits from a GRC tool provider create financial interests that could influence, or appear to influence, the service auditor’s objectivity and professional judgment. READ MORE >

Platform Diversification

We maintain an approach that avoids platform concentration dependencies that could impact objectivity.

Evidence Access and Sufficiency 

We maintain full control over evidence obtained in performing the examination procedures.

Advertising and Representation

All representations of our services are aligned with professional standards and avoid creating unrealistic expectations.

FAQ: Ethics Risks in SOC Report Examinations 

How do GRC platforms impact SOC report examination independence? 

GRC platforms support organization and efficiency, but they do not determine examination outcomes. Independence is maintained through a platform-neutral approach and examination practices that are not tied to any specific tool. 

Does using a specific platform influence examination processes? 

No. Our client base utilizes a wide range of platforms, and our firm’s examination methodology is designed to operate consistently across all of them. This structure reduces the potential for undue influence.

How does 360 Advanced maintain objectivity when working within GRC platforms? 

Examination procedures, evidence evaluation, and conclusions are determined independently by the examination team. Platforms may organize information, but they do not influence judgment.

Can a platform provider influence the scope or timing of a SOC examination? 

No. Examination scope and timing are established based on professional standards, risk considerations, and evidence requirements. External parties, including platform providers, do not direct nor determine these decisions.

Is evidence from a GRC platform sufficient for a SOC examination? 

Platforms can help organize and present evidence, but all evidence is evaluated independently for sufficiency and appropriateness. Additional procedures may be performed as needed to meet examination requirements.

What should organizations look for in a service auditor when using a GRC platform? 

Organizations should look for a service auditor that operates across multiple platforms, maintains independence in its examination approach, and evaluates evidence based on professional standards rather than tool-specific workflows.

Does working across multiple platforms improve SOC examination quality? 

Working across a wide range of environments supports consistency and objectivity. It reduces reliance on any single system and helps ensure that examination practices remain independent of platform-specific approaches.

What other ethical considerations should organizations evaluate when selecting a SOC audit firm?

Organizations should also consider whether the audit firm is properly licensed and operating in accordance with applicable state laws and regulations governing CPA firms.

SOC examinations are performed under professional standards that may carry jurisdiction-specific requirements related to firm licensing, registration, and the delivery of attestation services. Depending on the location and operations of the service organization, audit firms may be required to maintain licensure, reciprocity, or other registrations within the applicable state or jurisdiction.

Organizations may wish to evaluate whether the firm being considered is:

  • In good standing with the applicable state board(s) of accountancy
  • Properly licensed or authorized to provide services within the relevant jurisdiction(s)
  • Adhering to state-specific regulations governing CPA firm operations and attestation engagements
  • Maintaining appropriate oversight and quality control procedures consistent with professional standards

At 360 Advanced, we maintain licensing and compliance practices designed to support the jurisdictions in which we operate and the professional standards governing SOC examinations.

ethics-in-soc-exams
AICPA-SOC-Logo
CyberAB
PCI-QSA
FedRamp

Cybersecurity and Compliance to match your organization’s needs. Learn more.

Read how 360 Advanced maintains a consistent, platform-neutral approach across SOC report examinations.

360 Advanced

200 Central Avenue, suite 2100
St. Petersburg, FL 33701
info@360advanced.com
+1 (866) 418-1708

Services

Resources

Learn About 360

360 Advanced managed cybersecurity services Logo Image

“360 Advanced” is the brand name under which 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC (and its subsidiaries) provide professional services. 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC practice in an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. 360 Advanced, Inc is a licensed certified public accounting firm (Florida license number AD67897) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and 360 Advanced Cybersecurity, LLC provides nonattest cybersecurity and compliance professional services to its clients. 360 Advanced Cybersecurity, LLC and its subsidiaries are not licensed CPA firms. 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC are independently owned and are not liable for the services provided by any other entity providing services under the 360 Advanced brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by 360 Advanced, Inc and 360 Advanced Cybersecurity, LLC.

Copyright @ 2026 360 Advanced Inc. | All Rights Reserved | Privacy Policy | Contact Us