Impact of AICPA SOC 2 updates

Scott Hicks, Jaclyn Dettloff
Impact of AICPA SOC 2 updates

In the fall of 2022, the AICPA published new guidance related to SOC 2 exams and reports. Our specialists break down what you need to know. 

During October and November of 2022, the American Institute of Certified Public Accountants (AICPA) published a set of System and Organization Controls (SOC) 2 resources that contain new guidance related to performing SOC 2® examinations and the SOC 2 report deliverable.

No changes were made to the SOC 2 trust services criteria or description criteria requirements themselves, and service organizations can continue with their existing examination scope and control activities. However, the updated guidance helps service organizations provide a more meaningful report to customers and user entities and to gain an early understanding of new or enhanced examination procedures from their service auditor.

A more meaningful look at privacy

Of the five trust services categories, privacy generates the most questions on if and how it applies for a SOC 2 report. In addition, because of complex privacy laws and regulations, service organization management might feel less confident interpreting the SOC 2 privacy criteria.

The AICPA has removed most of the previous guesswork through new guidance on which privacy criteria and points of focus apply, based on whether the service organization acts as a data controller or data processor of personal information. Service organizations also should disclose which of the two privacy roles they perform within their system description section of the SOC 2 report to enable report users to understand and assess the control activities included in the examination.

SOC reporting insights
See our latest insights regarding SOC reporting, and learn how we can build a custom plan for your business.

Increased transparency for report users

A separate description criteria resource now offers service organizations more detailed guidance on the type of information they may include within their SOC 2 system description to provide user entities with valuable, organization-specific context on their services, IT environment, and key control processes.

Guidance on the nature and extent of information to include when describing the in-scope components of the IT environment (e.g., software, infrastructure, data), as required by Description Criterion 3, is enhanced. The additional guidance will be equally helpful for service organizations drafting their first SOC 2 description and those looking for opportunities to enhance their existing content.

The AICPA also encourages service organizations to consider other areas within their description where certain organization-specific content might be needed. One example is to disclose what the organization considers to be a system incident, so report users might better understand any disclosures related to system incidents, as required by Description Criterion 4, as well as the description of controls to detect and respond to system incidents.

Emphasis on certain examination procedures

Within the updated AICPA SOC 2 guide, several existing service auditor procedures are now described in a more detailed and prominent manner, which might result in enhanced examination procedures. The procedures that have been enhanced include:

  • Understanding, evaluating, and responding to inherent risk and control risk for the service organization
  • Evaluating the design and precision of management review controls, including the review of SOC reports for subservice organizations
  • Performing procedures related to the completeness and accuracy of information produced by the service organization

Contact us

If you have specific questions around the AICPA’s SOC 2 updates – or any other SOC issues – our team can help. Contact us today to see how we can help your organization with SOC reporting. 
Scott Hicks
Scott Hicks
Partner, IT Assurance Services
Jaclyn Dettloff
Jaclyn Dettloff
Senior Manager, IT Assurance Services