The American Institute of Certified Public Accountants (AICPA) recently released an updated Service Organization Controls (SOC®) 2 attest guide: Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC® 2) July 1, 2015. The updated guide contains enhanced practitioner guidance related to performing and reporting on SOC 2 examination engagements. These updates affect both service organizations obtaining SOC 2 reports on its systems and companies that use SOC 2 reports as part of their vendor risk management programs.
Highlights from the update to the guide
- Updated illustrative independent service auditor report and management’s assertion
- More explicit guidance on scoping for examinations addressing the Privacy or Confidentiality Trust Services Principles based on the lifecycle for the personal or confidential data
- Considerations when there is not continuous examination coverage between annual SOC reports (e.g., a nine month reporting period, with the remaining three months not covered by an examination)
- Enhanced guidance on what constitutes a fairly presented service organization’s system description including, if applicable, controls that a service organization has in place to monitor the services provided by a subservice organization
- Illustrative guidance on the description of controls included in the service organization’s system description.
- Clarification on complementary user entity controls (CUECs) based on the degree of significance to achieving the applicable trust services criteria
- Illustrative examples of control exception language where a sampling method was used
- Guidance on how to report on controls which did not perform during the examination period
Service providers undergoing SOC 2 examinations should familiarize themselves with these changes and discuss them with their SOC 2 service auditors. As the guide was released in July 2015, the updated requirements should be incorporated into 2015 SOC 2 reports not yet issued.
If you are considering a SOC 2 examination, these changes would apply.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Business Advisory News Service Organization Controls Services Overview