CC1.2

According to the AICPA FAQ document released November 2020:

This definition recognizes that smaller, less complex businesses may find it costly and unnecessary to attract independent board members. These entities generally have different control environments, which may be as effective as those in larger, more complex organizations. In the context of a smaller, less complex service organization, an owner manager may have far greater personal oversight over organizational structure operations; the ability to affect ethical values; and the ability to attract, retain, and hold accountable service organization personnel. In addition, an owner-manager is likely to actively participate in the operation of key controls (by exercising a high level of supervision and review) to provide adequate oversight of internal control and to mitigate risks arising from the lack of segregation of duties that often exists in such organizations. When that is the case, a service auditor may conclude that the lack of a board of directors at a smaller, less complex service organization is unlikely to affect the achievement of the service organization’s service commitments and system requirements.In some situations, however, an owner-manager may not have the knowledge or competence to perform the oversight role without placing excessive reliance on company service organization management. In this situation, the lack of independent oversight may result in a breakdown in internal controls and increase the risk of fraud.

In such cases, the service auditor evaluates the effect of the design deficiency on the service organization’s achievement of its service commitments and system requirements; based on that evaluation, the service auditor may decide to modify the opinion on suitability of design in the SOC 2 report.

Ultimately, it is up to the auditor to determine if the lack of independence would be an issue, but in most cases they will determine it is appropriate for a small company.