SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
This authoritative guide was developed to assist CPAs with interpreting and applying the updated attestation standards to SOC 2® and SOC 3® examination engagements.
Learn to effectively perform SOC 2 and SOC 3® examination engagements
More than ever, organizations are outsourcing functions to other organizations (service organizations) that can usually perform them more cost effectively. Although outsourcing may increase revenue, expand market opportunities, and reduce costs for customers and business partners, it also results in new risks arising from interactions with the service organization and its system. To identify, assess, and address the risks associated with a service organization, its services, and the system used to provide the services, customers and business partners usually need information about the design, operation, and effectiveness of controls within the service organization’s system. To support their information needs, customers and business partners often request a SOC 2 report from the service organization.
Updated as of October 15, 2022, this authoritative guide is the most important resource you need to understand how to perform and report on a SOC 2 examination, (that is, an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy). It also includes guidance that will help you prepare and issue a SOC 3 report.
See what's new
The October 2022 guide:
- Has been fully updated to reflect new requirements and guidance of SSAE No. 20 and SSAE No. 21.
- Contains insight from expert authors on the SOC 2 Working Group, which consists of CPAs who perform SOC 2 and SOC 3 engagements.
- Includes updated guidance on risk assessment and qualitative materiality assessments.
- Includes a new illustrative report that may be used when performing and reporting on a SOC 2+ examination.
- Includes new implementation guidance related to use of the 2017 trust services criteria (with revised points of focus — 2022) and the 2018 description criteria (with revised implementation guidance — 2022).
- Includes updated illustrative reports.
- SOC 2 engagements: Assertion-based examination of a service organization’s description of its system and its controls relevant to security, availability, processing integrity, confidentiality, or privacy
- SOC 3 engagements: General-use reports relevant to security, availability, processing integrity, confidentiality, or privacy
- Application of the 2017 trust services criteria (with revised points of focus — 2022) when evaluating control design and effectiveness
- Use of the 2018 description criteria (with revised implementation guidance — 2022) for evaluating management’s description of the service organization’s system
- CPAs in public practice engaged to perform SOC 2 and SOC 3® examinations
Group ordering for your team