SOC 2 reports get an update

SOC 2® standards have been updated. If you perform these engagements, you need to check out the recently updated SOC 2 guide to make sure you are performing these services according to AICPA standards.

Released last month, the updated guide is a “how to” for service auditors performing SOC 2 examinations to report on a service organization’s system controls relevant to security, availability, processing integrity, confidentially, or privacy. There are three major updates practitioners will want to pay attention to:

1. Alignment with clarified attestation standards
   
   The guide conforms with the updated SSAE No. 18 (Clarified Attestation Standards) – meaning it is a vital tool for practitioners to use in developing standards-compliant reports. For example, it includes updated information on requirements related to requesting written assertions and performing risk assessments.

2. Updated Description Criteria
   
   The 2018 description criteria include necessary information on preparing and reviewing the presentation of the description of a service organization’s system. For example, the 2018 criteria require that the system description disclose the nature, timing, and extent of certain identified system incidents. The criteria also include helpful implementation guidance related to disclosures, including what to consider when determining whether to disclose an incident. The 2018 description criteria must be used when preparing system descriptions for SOC 2 reports with periods ending as of or after Dec. 16, 2018, although early implementation is permitted.
3. Updated Trust Services CriteriaLast year, the AICPA updated its Trust Services Criteria to align with the COSO 2013 Framework, which is widely used in the design and implementation of internal controls. Service organizations and practitioners need to know how the updated criteria impact the evaluation of the suitability of design and operating effectiveness of controls for SOC 2 engagements. These criteria are intended to be used in conjunction with the 2018 description criteria, so practitioners must use them for SOC 2 reports with periods ending as of or after Dec. 16, 2018.

Resources and Tools

The updated guide also includes:

• a comprehensive illustrative SOC 2 Type 2 report
• a new illustrative SOC 3® report
• a new appendix for performing and reporting on a SOC 2 examination in accordance with International Standards on Assurance Engagements (ISAES) or in accordance with both the AICPA’s attestation standards and the ISAES
• expanded information on unique challenges and risks that service auditors will encounter in performing SOC 2 or SOC 3 engagements for service organizations.

As part of the guide update, the AICPA also developed a free appendix that provides service organization management with information they need to know before engaging a CPA for a SOC 2 service.

These and other tools available on the AICPA’s SOC for Service Organizations webpage can help CPAs familiarize themselves with the latest criteria and guidance for performing SOC 2 engagements, as well as help them identify opportunities to begin assisting their clients with the transition process. For even more information, sign up for the April 25 webcast SOC 2 Performance and Reporting Update.

Lindsay N. Patterson, CAE, Senior Manager — Communications and Public Relations, Association of International Certified Professional Accountants

     

Related Stories

• 4 new opportunities blockchain could create for auditors
• Why I’m #AuditorProud: Auditors Are Protectors
• Switching to a C corp? Think twice about it.