Search
Certified Public Accountants
& Business Consultants

Focus on Vendor Management: AICPA Changes to Test Vendor/Service Organization Security, SOC 2–What Service Organizations Need to Know

Contact Our Team

The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC®) 2 attest guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2) July 1, 2015.
December 2, 2015

The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC®) 2 attest guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2) July 1, 2015. The updated guide contains enhanced practitioner guidance related to performing and reporting on SOC 2 examination engagements. These updates affect both service organizations obtaining SOC 2 reports on its systems and companies that use SOC 2 reports as part of their vendor risk management programs.

Highlights from the update to the guide

  • Updated illustrative independent service auditor report and management’s assertion
  • More explicit guidance on scoping for examinations addressing the Privacy or Confidentiality Trust Services Principles based on the lifecycle for the personal or confidential data
  • Considerations when there is not continuous examination coverage between annual SOC reports (e.g., a nine month reporting period, with the remaining three months not covered by an examination)
  • Enhanced guidance on what constitutes a fairly presented service organization’s system description including, if applicable, controls that a service organization has in place to monitor the services provided by a subservice organization
  • Illustrative guidance on the description of controls included in the service organization’s system description.
  • Clarification on complementary user entity controls (CUECs) based on the degree of significance to achieving the applicable trust services criteria
  • Illustrative examples of control exception language where a sampling method was used
  • Guidance on how to report on controls which did not perform during the examination period

Service providers undergoing SOC 2 examinations should familiarize themselves with these changes and discuss them with their SOC 2 service auditors. As the guide was released in July 2015, the updated requirements should be incorporated into 2015 SOC 2 reports not yet issued.

If you are considering a SOC 2 examination, these changes would apply.

 

Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.

All Business Advisory News Service Organization Controls Services Overview

 

For more information, please contact: