Colleagues walk down the stairs in discussion

The AICPA is the governing body for SOC 2®. Periodically, the AICPA updates its standards and guidance. The SOC 2 guide, updated in October of 2022, provides interpretive guidance to the auditors who perform SOC 2 examinations. In the recent update, no changes were made to the Trust Services Criteria (TSC), however, updates were made to the interpretations and guidance on how SOC 2 examinations are performed.

Potential impacts to service organizations who have a SOC 2 examination performed

What's new with SOC 2?

Updated guidance description

Potential impact

Relevant guide paragraph for more information

Additional examples around inherent risks that auditors may consider. Auditors may ask service organizations more questions about these inherent risk areas and place more emphasis on them when planning their examinations than they have in the past. 2.129
Enhanced guidance on the completeness and accuracy of information provided or produced by the entity (IPE). Auditors may enhance the level of evidence they require from the service organization, especially around areas such as the completeness and accuracy of populations which are used as a basis for sampling. 3.137 to 3.145
Increased focus on vendor risk management performed by the service organization. Service organizations may need to enhance their vendor risk management procedures. 3.162 to 3.174
Example SOC 2+ report The form of the opinion and assertion may change with the example now included in the SOC 2 guide. Appendix E

For additional guidance on how the changes to SOC 2 could impact your service organization, connect with a Baker Tilly SOC specialist.

Jeff Krull
Partner
Workforce and succession planning – Part 3: training and competitiveness
Next up

Workforce and succession planning – part 3: training and competitiveness