What's New With SOC 2: Updated AICPA Guidance

In recent years, System and Organization Controls (SOC) reports have been impacted by technological advancements, changes in the way service organizations manage compliance, and a host of new software tools that perform functions that are examined within a report. Thus, last year, the American Institute of Certified Public Accountants (AICPA) released an updated audit guide for SOC 2 reports specifically. The guide is designed to assist service auditors engaged by service organizations to examine and report on controls relevant to security, availability, processing integrity, confidentiality, or privacy. This is the first significant update to the SOC 2 guidance since 2018.

The guide includes explanations and examples of guidelines and procedures that service auditors and their clients should follow when examining and reporting on these critical controls. Highlights include:

Description Criteria Updates

Revised guidance related to the description criteria does not actually alter the criteria, but is intended to provide users with:

• Additional clarity regarding certain disclosure requirements
• Guidance on disclosing how controls meet the requirements of a process or control framework
• Guidance on disclosure about the risk assessment process and specific risks

Trust Services Criteria Updates

The current trust services criteria were modified to reflect new points of focus in this area. These revised points of focus should better support application of the criteria in addressing:

• The ever-changing threats, vulnerabilities, and other matters that may create additional security risks to organizations
• Changing legal and regulatory requirements regarding privacy
• Data management requirements (e.g., data storage, backup, and retention), particularly when related to confidentiality
• Distinctions related to privacy that may apply in certain ways to an organization that is a data controller and in different ways to an organization that is a data processor

Guidance on a Service Organization’s Objectives, Service Commitments, and System Requirements

The guidance advises including only those service commitments and system requirements that relate to the service organization’s overall objective, and it provides examples of those commitments and requirements.

Guidance on System Boundaries

The new guide clarifies the boundaries of the system and specifically includes guidance to consider regarding third-party software applications or tools that a service organization may use.

Selecting the Trust Service Category or Criteria to Be Addressed in the Exam

In theory, the service organization gets to choose the criteria relevant to security, availability, processing integrity, confidentiality, or privacy that will be part of the SOC 2 report. The guidance clarifies the service auditor’s obligation to accurately disclose in its description what the service commitments are and the existence and effectiveness of the controls that address those concerns.

Distinguishing Between Confidentiality and Privacy

The guide clarifies that confidentiality is fairly common, and it relates to an agreement between parties not to discuss something publicly. Privacy is a more technical legal term that relates to the obligation to protect personal identifiable information within the service organization’s care. Not all SOC 2 examinations require that both of these criteria be included.

SOC 2+: Guidance for Service Auditor Report on Trust Services Criteria Under SOC and Additional Frameworks

The new guidance provides additional support for service auditors that are presenting controls related to other frameworks outside of the SOC 2 trust services categories.

Identifying Subservice Organizations and Management’s Use of Specialists

The guidance provides criteria for identifying subservice organizations. In short, a subservice organization is a vendor that performs controls that are necessary in combination with controls at the service organization to meet their service commitments and system requirements. The language is very subjective, but the guide helps clarify.

Independence of CPAs Providing IT Services

With so many CPA firms offering consulting support on systems and software, the new guidance provides additional insights on the limitations that apply when a CPA firm works with its clients to integrate a SOC compliance monitoring solution.

Review Controls

This update provides a specific list of what the service auditor needs to understand about the design of review controls, and it offers suggestions on the extent of testing necessary to determine if a precision control is performed effectively within an exam period.

Vendor Risk Management

The guidance references processes and controls outlined in Trust Services Criterion CC9.2 that can help a service organization assess the risks associated when interacting with a vendor or business partner. The guidance offers some concrete steps that a service organization can take to manage these relationships more effectively.

How We Can Help

System and organization controls frequently generate complicated questions between service auditors and clients. While these new rules provide some helpful examples and clarifications, it will no doubt remain a challenging practice area. If you have questions about how the new rules apply to your organization, please contact your KSM advisor or fill out this form.