If you currently have or will be working toward a SOC 2 report, it’s essential to understand the impact to the SOC 2 reporting process. It’s also essential to ensure that frameworks are aligned, and controls are in place to effectively guard against cybersecurity risks and protect sensitive data. Contact us to learn how we can help your business.
Published: January 04, 2024
Updated: January 04, 2024
Our colleagues at member firm BDO USA posted the original version of this article on Dec. 2, 2022. You can also read it below.
In late October 2022, the American Institute of Certified Public Accountants’ (AICPA’s) Assurance Services Executive Committee (ASEC) released an update to the system and organization control (SOC) 2 reporting guide. Significant updates have been made to the Description Criteria implementation guidance and the Trust Services Criteria points of focus. Overall, the changes provide clarity around several recent and emerging industry topics and continue to promote reporting quality and consistency.
Summary of changes
Available for use now, the AICPA updates for SOC 2 examinations are significant and may require additional time and attention from companies who currently have a SOC 2 report or are planning on working toward compliance. High level updates include:
- Incorporating new attestation standards (e.g., SSAE-20 and SSAE-21).
- Updates to the Description Criteria implementation guidance for additional clarity regarding certain disclosure requirements, guidance on disclosure of how controls meet the requirements of a process or control framework, and guidance on disclosure of information about the risk assessment process and specific risks.
- Updates to the points of focus that support the application of the Trust Services Criteria that better reflect the ever-changing technology, legal, regulatory, and cultural risks, data management requirements, particularly related to confidentiality, and differentiating between a data controller and a data processor for privacy engagements.
- Incorporating, where appropriate, updates included in the AICPA Guide Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1 guide).
- Incorporating, where applicable, additional guidance included in the AICPA Guide Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System (SOC for supply chain guide), particularly related to the risk assessment guidance.
Additional updates
Other updates from the AICPA include, but are not limited to, the following:
- Making qualitative materiality assessments (from the AICPA whitepaper on materiality).
- Considering the service organization’s use of software applications and tools (from the SOC Tools FAQ).
- Considering the operation of periodic controls that operated prior to the period covered by the examination.
- Considering management’s use of specialists.
- Performing and reporting in a SOC 2+ engagement (including an updated illustrative service auditor’s report).
- Addressing considerations when the service organization has identified a service commitment or system requirement related to meeting the requirements of a process or control framework (such as HIPAA, ISO, or NIST).
- Supplements and several appendices were removed and will be replaced with links to the appropriate documents on the AICPA website.