The AICPA is the professional organization responsible for setting the audit standards for SOC Reporting and publishes a SOC 2 Guide, which is intended to help organizations better meet the information needs of their customers and business partners. As the AICPA issues new Statements on Standards for Attestation Engagements (SSAEs) each year, the AICPA also releases updated Guides around the new standards.
The AICPA published the latest SOC 2 Audit Guide, “Reporting on Controls at a Service Organization Relevant to Security Availability Processing Integrity Confidentiality or Privacy (SOC 2),” in October 2022. Revisions in the latest version:
- Revised SOC 2 Description Criteria requirements.
- Revised Points of Focus (PoF) for the SOC 2 Trust Services Criteria (TSC).
- Incorporated requirements from new attestation standards and clarified applicable standards.
Summary of Description Criteria Updates
- Additional clarification on disclosure of how controls meet the requirements of a process or control framework.
- New considerations regarding disclosure of information about the risk assessment process and specific risks.
- Clarification of objectives for service organizations and how they relate to the service commitments and system requirements.
Impact: Increased focus on identification of principal service commitments and disclosing details regarding management’s formal risk assessment within the description of the system.
Summary of Revised Points of Focus From the 2017 TSC
- PoFs represent important characteristics of the TSC set forth by the AICPA.
- PoFs are not necessarily applicable to all organizations but can provide useful considerations when management assesses risk and designs controls.
- The revisions to the PoFs do not alter the criteria within the 2017 TSC.
- These updates to the PoFs provide additional clarity for each category and modernize them to include new and emerging technologies, threats, vulnerabilities, and mitigation tactics.
Impact: Additional considerations when evaluating the suitability of design of the controls to achieve the service organization’s service commitments and system requirements based on the applicable trust services criteria.
Summary of Changes to Incorporate New SSAEs Since Last Revision of SOC 2 Guide
- Amends SOC 2 opinion language illustrations to comply with recent SSAE No. 20, Amendments to the Description of the Concept of Materiality, and SSAE No. 21, Direct Examination Engagements, requirements.
- Clarifies that SOC 2 reports are AT-C 205, Assertion-Based Examination Engagements, and cannot be issued under AT-C 206, Direct Examination Engagements.
- Provides additional illustrations and examples on SOC 2+ reports, including HIPAA Privacy Regulations, ISO 27001, NIST, and HITRUST.
Impact: Minimal impact on service organizations. This revision is primarily for Service Auditors.
If you have questions or need assistance, please reach out to one of our professionals.