AICPA changes to SOC 2: What service organizations need to know

The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC) 2 report audit guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2). The updated guide contains significant changes related to examination scope and procedures, as well as the content of the SOC 2 report deliverable. These updates affect both service organizations issuing SOC 2 reports and companies that receive and review SOC 2 reports as part of their vendor risk management programs.

Highlights from the update to the guide

  • Updated language within independent service auditor opinion and management assertion reporting templates
  • More explicit scoping requirements for examinations addressing the Privacy or Confidentiality Trust Principles based around the lifecycle for the personal or confidential data
  • Considerations when there is not continuous examination coverage between annual SOC reports (e.g., a nine month reporting period, with the remaining three months not covered by an examination)
  • Additional guidance on what constitutes a fairly presented system description
  • Expectation of including controls in place to monitor subservice organizations
  • Illustrative control activity language to help ensure sufficient detail is included in the description
  • Clarification on including complementary user entity controls (CUECs) based on the degree of significance to achieving the related SOC 2 criteria
  • Expected detail for service auditors to include in control exception language where a sampling method was used
  • Expanded guidance on how to report controls without related activity occurring during the audit period

Service providers undergoing SOC 2 examinations should familiarize themselves with these changes and discuss them with their SOC 2 audit team. As the guide was released in September 2015, the updated requirements should be incorporated into 2015 SOC 2 reports not yet issued.

For more information on this topic, or to learn how Baker Tilly SOC specialists can help, contact our team.