New SSAE Ethics & Independence Clarifications

At the end of 2025, the AICPA Professional Ethics Executive Committee released clarifying revisions to the AICPA Code of Professional Conduct related to engagements performed under the Statements on Standards for Attestation Engagements.

These changes may look “technical” at first glance — but they are highly relevant for SOC1, SOC2, SOC for Cybersecurity, and other SSAE-based engagements.

Obraz autorstwa freepik

The revisions are:

Effective from June 15, 2026

Historically, many independence interpretations in the Code were written with financial statement audits in mind.

However, SSAE engagements:

➡️ often cover non-financial subject matter,

➡️ involve point-in-time or period-based assertions,

➡️ are increasingly used for technology, cybersecurity, privacy, and controls assurance.

These clarifications are intended to increase consistency, transparency, and defensibility.

New Definition

One of the most important updates is the introduction of a new defined term:

“Period covered by the attest report”

This replaces the financial-audit-centric concept of:

“period covered by the financial statements”.

Independence assessments must now align precisely with the attest report scope, not default financial reporting periods.

Independence Rules

The PEEC revised multiple interpretations to clearly state:

➡️ independence requirements apply equally to SSAE engagements,

➡️ terminology has been updated to reflect attest engagements beyond financial audits,

➡️ examples were added specifically for SSAE contexts.

Non attest Services & SSAEs

The revisions clarify:

➡️ when non attest services impair independence in SSAE engagements,

➡️ how mergers and acquisitions affect independence if prohibited services were previously provided,

➡️ how attribution of non attest services should be assessed.

For SOC practices, this is critical:

➡️ advisory + attestation boundaries must be clearly managed,

➡️ independence documentation becomes even more important,

➡️ marketing “combined offerings” without governance may increase risk.

Use of External Resources

The guidance clarifies:

➡️ a firm cannot include non-independent firms or personnel as part of the attest engagement team,

➡️ but may use their work in a manner similar to internal auditors, if professional standards are met.

This is particularly relevant for:

➡️ global SOC engagements,

➡️ shared service models,

➡️ use of external specialists or technology partners.

Independence

The revisions reinforce:

➡️ the need to evaluate and document independence threats,

➡️ criteria for assessing the severity of independence breaches,

➡️ actions required when breaches occur.

Link

Author: Sebastian Burgemejster