The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC) 2 report audit guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2). The updated guide contains significant changes related to examination scope and procedures, as well as the content of the SOC 2 report deliverable. These updates affect both service organizations issuing SOC 2 reports and companies that receive and review SOC 2 reports as part of their vendor risk management programs.
Highlights from the update to the guide
- Updated language within independent service auditor opinion and management assertion reporting templates
- More explicit scoping requirements for examinations addressing the Privacy or Confidentiality Trust Principles based around the lifecycle for the personal or confidential data
- Considerations when there is not continuous examination coverage between annual SOC reports (e.g., a nine month reporting period, with the remaining three months not covered by an examination)
- Additional guidance on what constitutes a fairly presented system description
- Expectation of including controls in place to monitor subservice organizations
- Illustrative control activity language to help ensure sufficient detail is included in the description
- Clarification on including complementary user entity controls (CUECs) based on the degree of significance to achieving the related SOC 2 criteria
- Expected detail for service auditors to include in control exception language where a sampling method was used
- Expanded guidance on how to report controls without related activity occurring during the audit period
Service providers undergoing SOC 2 examinations should familiarize themselves with these changes and discuss them with their SOC 2 audit team. As the guide was released in September 2015, the updated requirements should be incorporated into 2015 SOC 2 reports not yet issued.
For more information on this topic, or to learn how Baker Tilly SOC specialists can help, contact our team.