The AICPA released an updated guide to reporting on an examination of system and organization controls. The guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 Guide) was published on October 15, 2022.
The SOC 2 Guide is used by practitioners providing SOC 2 services and examinations and can serve as a reference for organizations that issue SOC 2 reports. While not authoritative guidance, the SOC 2 Guide provides valuable clarifications and examples of implementation of the standards.
Description Criteria and Trust Services Criteria
In addition to the new SOC 2 Guide, the AICPA also released the Description Criteria and Trust Services Criteria with revised points of focus. The Description Criteria and Trust Services Criteria, which have been in place since 2018 and 2017, respectively, haven’t changed, but rather the points of focus were revised to provide further clarity and guidance of the Trust Services Criteria.
Key Changes in the SOC 2 Guide
While there have been many small revisions to the SOC 2 Guide, there are several larger changes that could affect how an organization designs and operates its controls.
The new guidance also interprets the requirements described in the criteria, describes the system in scope for SOC 2, and reports on incidents or changes that occurred.
Key updates include:
- The Service Organization’s Objectives, Service Commitments, and Systems Requirements. Provides additional clarity on the organization’s objectives and how they relate to the service commitments and system requirements.
- Selecting the Trust Services Category or Categories to Be Addressed by the Examination. Gives guidance on what factors should be considered by a service organization.
- Difference Between Confidentiality and Privacy. Presents key differences between these two categories, when it’s appropriate for a service organization to report on controls included in them, and differences for data controllers versus data processors as it relates to addressing privacy.
- Meeting the Requirements of a Process or Control Framework and SOC 2 Examination That Addresses Additional Criteria (SOC 2+). Includes greater detail when a service organization is presenting controls related to frameworks or requirements outside of the SOC 2 Trust Services Categories.
- Considerations in Identifying Subservice Organizations and Management’s Use of Specialists. Provides guidance on how to identify vendors versus subservice organizations, and appropriate controls and disclosures related to the use of specialists by management.
- IT Services. Clarifies independence responsibilities for CPAs providing services such as the design, implementation, or integration of governance, risk, and compliance (GRC) tools, or monitoring, and the threats to independence of self-review and management participation.
- Review Controls. Includes additional information related to how management should perform review controls and the various considerations associated with that type of control.
- Considering Controls That Did Not Need to Operate During the Period Covered by the Examination and Considering the Relevancy of Controls That Operated Prior to the Period Covered by the Examination. Gives guidance on how management and a CPA should account for controls that may have operated outside a specific examination period.
We’re Here to Help
If you have questions about the SOC 2 Guide, contact your Moss Adams professional.
Learn more at our SOC Examinations resources page.