Navigating Changes to the SOC 2 Guide

In late October 2022, the American Institute of Certified Public Accountants’ (AICPA’s) Assurance Services Executive Committee (ASEC) released an update to the System and Organization Control (SOC) 2 reporting guide. Significant updates have been made to the Description Criteria implementation guidance and the Trust Services Criteria points of focus. Overall, the changes provide clarity around several recent and emerging industry topics and continue to promote reporting quality and consistency. 

Summary of Changes

Available for use now, the AICPA updates for SOC 2 examinations are significant and may require additional time and attention from companies who currently have a SOC 2 report or are planning on working toward compliance. High level updates include:

  • Incorporating new attestation standards (e.g. SSAE-20 and SSAE-21);
  • Updates to the Description Criteria implementation guidance for additional clarity regarding certain disclosure requirements, guidance on disclosure of how controls meet the requirements of a process or control framework, and guidance on disclosure of information about the risk assessment process and specific risks;
  • Updates to the points of focus that support the application of the Trust Services Criteria that better reflect the ever-changing technology, legal, regulatory, and cultural risks, data management requirements, particularly related to confidentiality, and differentiating between a data controller and a data processor for privacy engagements;
  • Incorporating, where appropriate, updates included in the AICPA Guide Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1 guide);
  • Incorporating, where applicable, additional guidance included in the AICPA Guide Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System (SOC for supply chain guide), particularly related to the risk assessment guidance.

Additional updates

 Other updates from the AICPA include, but are not limited to, the following:

  • Making qualitative materiality assessments (from the AICPA whitepaper on materiality);
  • Considering the service organization’s use of software applications and tools (from the SOC Tools FAQ)
  • Considering the operation of periodic controls that operated prior to the period covered by the examination
  • Considering management’s use of specialists
  • Performing and reporting in a SOC 2+ engagement (including an updated illustrative service auditor’s report)
  • Addressing considerations when the service organization has identified a service commitment or system requirement related to meeting the requirements of a process or control framework (such as HIPAA, ISO or NIST)
  • Supplements and several appendices were removed and will be replaced with links to the appropriate documents on the AICPA website

Our Perspective

If you currently have or will be working toward a SOC 2 report, it’s essential to understand the impact to the SOC 2 reporting process. Early preparation will help your organization stay ahead of the curve when it comes to preparation and achieving compliance. It is also essential to ensure that frameworks are aligned and controls are in place to effectively guard against cybersecurity risks and protect sensitive data.

If you would like to start a conversation about SOC 2 reporting, BDO is here to help. Our Third Party Attestation Practice team is dedicated to providing high quality SOC attestation services and can help you begin:

  • Evaluating your control environment;
  • Mapping your controls in consideration of the new implementation guidance related to the Description Criteria and Trust Services Criteria;
  • Identifying any reporting gaps to determine any necessary incremental controls and system description updates;
  • Developing a SOC 2 reporting plan for the new requirements.

Backed by one of the world’s largest global networks, BDO tailors SOC services to meet our clients’ unique needs, allowing us to deliver them in the most efficient and cost-effective way possible.