Alert

AICPA Releases Updated SOC 2 Guide

Jared James, Principal, IT Consulting Services

November 17, 2022
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Quick facts about a SOC examination, including benefits, criteria, and next steps

The AICPA released an updated guide to reporting on an examination of system and organization controls. The guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 Guide) was published on October 15, 2022.

The SOC 2 Guide is used by practitioners providing SOC 2 services and examinations and can serve as a reference for organizations that issue SOC 2 reports. While not authoritative guidance, the SOC 2 Guide provides valuable clarifications and examples of implementation of the standards.

Description Criteria and Trust Services Criteria

In addition to the new SOC 2 Guide, the AICPA also released the Description Criteria and Trust Services Criteria with revised points of focus. The Description Criteria and Trust Services Criteria, which have been in place since 2018 and 2017, respectively, haven’t changed, but rather the points of focus were revised to provide further clarity and guidance of the Trust Services Criteria.

Key Changes in the SOC 2 Guide

While there have been many small revisions to the SOC 2 Guide, there are several larger changes that could affect how an organization designs and operates its controls.

The new guidance also interprets the requirements described in the criteria, describes the system in scope for SOC 2, and reports on incidents or changes that occurred.

Key updates include:

  • The Service Organization’s Objectives, Service Commitments, and Systems Requirements. Provides additional clarity on the organization’s objectives and how they relate to the service commitments and system requirements.
  • Selecting the Trust Services Category or Categories to Be Addressed by the Examination. Gives guidance on what factors should be considered by a service organization.
  • Difference Between Confidentiality and Privacy. Presents key differences between these two categories, when it’s appropriate for a service organization to report on controls included in them, and differences for data controllers versus data processors as it relates to addressing privacy.
  • Meeting the Requirements of a Process or Control Framework and SOC 2 Examination That Addresses Additional Criteria (SOC 2+). Includes greater detail when a service organization is presenting controls related to frameworks or requirements outside of the SOC 2 Trust Services Categories.
  • Considerations in Identifying Subservice Organizations and Management’s Use of Specialists. Provides guidance on how to identify vendors versus subservice organizations, and appropriate controls and disclosures related to the use of specialists by management.
  • IT Services. Clarifies independence responsibilities for CPAs providing services such as the design, implementation, or integration of governance, risk, and compliance (GRC) tools, or monitoring, and the threats to independence of self-review and management participation.
  • Review Controls. Includes additional information related to how management should perform review controls and the various considerations associated with that type of control.
  • Considering Controls That Did Not Need to Operate During the Period Covered by the Examination and Considering the Relevancy of Controls That Operated Prior to the Period Covered by the Examination. Gives guidance on how management and a CPA should account for controls that may have operated outside a specific examination period.

We’re Here to Help

If you have questions about the SOC 2 Guide, contact your Moss Adams professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Article
What Is a SOC Report?
Learn all the different types of SOC reports, why they’re important, and what information they provide.
Article
Article
SOC Exam for Cybersecurity
Learn how a SOC examination can address risks as work places go remote during COVID-19.
Article
Article
Comparing SOC 2 and ISO/IEC 27001 FAQ
Discover how SOC 2® and ISO/IEC 27001 can enhance your organization's security landscape and build customer trust.
Article
Article
Identify Top Cyberthreats
Learn to protect your organization with a more stringent cybersecurity strategy.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.