Looking up at buildings in a city
Article

AICPA changes to SOC 2: what service organizations need to know

The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC) 2 report audit guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2). The updated guide contains significant changes related to examination scope and procedures, as well as the content of the SOC 2 report deliverable. These updates affect both service organizations issuing SOC 2 reports and companies that receive and review SOC 2 reports as part of their vendor risk management programs.

Highlights from the update to the guide

  • Updated language within independent service auditor opinion and management assertion reporting templates
  • More explicit scoping requirements for examinations addressing the Privacy or Confidentiality Trust Principles based around the lifecycle for the personal or confidential data
  • Considerations when there is not continuous examination coverage between annual SOC reports (e.g., a nine month reporting period, with the remaining three months not covered by an examination)
  • Additional guidance on what constitutes a fairly presented system description
  • Expectation of including controls in place to monitor subservice organizations
  • Illustrative control activity language to help ensure sufficient detail is included in the description
  • Clarification on including complementary user entity controls (CUECs) based on the degree of significance to achieving the related SOC 2 criteria
  • Expected detail for service auditors to include in control exception language where a sampling method was used
  • Expanded guidance on how to report controls without related activity occurring during the audit period

Service providers undergoing SOC 2 examinations should familiarize themselves with these changes and discuss them with their SOC 2 audit team. As the guide was released in September 2015, the updated requirements should be incorporated into 2015 SOC 2 reports not yet issued.

For more information on this topic, or to learn how Baker Tilly SOC specialists can help, contact our team.

State capitol building in Madison, Wisconsin
Next up

Understanding the changes to OMB Uniform Guidance related to subrecipient monitoring