In the fall of 2022, the AICPA published new guidance related to SOC 2 exams and reports. Our specialists break down what you need to know.
During October and November of 2022, the American Institute of Certified Public Accountants (AICPA) published a set of System and Organization Controls (SOC) 2 resources that contain new guidance related to performing SOC 2® examinations and the SOC 2 report deliverable.
No changes were made to the SOC 2 trust services criteria or description criteria requirements themselves, and service organizations can continue with their existing examination scope and control activities. However, the updated guidance helps service organizations provide a more meaningful report to customers and user entities and to gain an early understanding of new or enhanced examination procedures from their service auditor.
A more meaningful look at privacy
Of the five trust services categories, privacy generates the most questions on if and how it applies for a SOC 2 report. In addition, because of complex privacy laws and regulations, service organization management might feel less confident interpreting the SOC 2 privacy criteria.
The AICPA has removed most of the previous guesswork through new guidance on which privacy criteria and points of focus apply, based on whether the service organization acts as a data controller or data processor of personal information. Service organizations also should disclose which of the two privacy roles they perform within their system description section of the SOC 2 report to enable report users to understand and assess the control activities included in the examination.