SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
This authoritative guide was developed to assist CPAs with interpreting and applying the updated attestation standards to SOC 2® and SOC 3® examination engagements.
Learn to effectively perform SOC 2 and SOC 3® examination engagements
More than ever, organizations are outsourcing functions to other organizations (service organizations) that can usually perform them more cost effectively. Although outsourcing may increase revenue, expand market opportunities, and reduce costs for customers and business partners, it also results in new risks arising from interactions with the service organization and its system. To identify, assess, and address the risks associated with a service organization, its services, and the system used to provide the services, customers and business partners usually need information about the design, operation, and effectiveness of controls within the service organization’s system. To support their information needs, customers and business partners often request a SOC 2 report from the service organization.
Updated as of October 15, 2022, this authoritative guide is the most important resource you need to understand how to perform and report on a SOC 2 examination, (that is, an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy). It also includes guidance that will help you prepare and issue a SOC 3 report.
See what's new
The October 2022 guide:
- Has been fully updated to reflect new requirements and guidance of SSAE No. 20 and SSAE No. 21.
- Contains insight from expert authors on the SOC 2 Working Group, which consists of CPAs who perform SOC 2 and SOC 3 engagements.
- Includes updated guidance on risk assessment and qualitative materiality assessments.
- Includes a new illustrative report that may be used when performing and reporting on a SOC 2+ examination.
- Includes new implementation guidance related to use of the 2017 trust services criteria (with revised points of focus — 2022) and the 2018 description criteria (with revised implementation guidance — 2022).
- Includes updated illustrative reports.
- SOC 2 engagements: Assertion-based examination of a service organization’s description of its system and its controls relevant to security, availability, processing integrity, confidentiality, or privacy
- SOC 3 engagements: General-use reports relevant to security, availability, processing integrity, confidentiality, or privacy
- Application of the 2017 trust services criteria (with revised points of focus — 2022) when evaluating control design and effectiveness
- Use of the 2018 description criteria (with revised implementation guidance — 2022) for evaluating management’s description of the service organization’s system
- Practitioners performing SOC 2 and SOC 3 engagements
- Managers of service organizations that have SOC 2 and SOC 3 engagements being performed
- SOC 2 and SOC 3 report readers
Group ordering for your team
The Association is dedicated to removing barriers to the accountancy profession and ensuring that all accountancy professionals and other members of the public with an interest in the profession or joining the profession, including those with disabilities, have access to the profession and the Association's website, educational materials, products, and services. The Association is committed to making professional learning accessible to all. This commitment is maintained in accordance with applicable law. For additional information, please refer to the Association's Website Accessibility Policy. For accommodation requests, please contact firstname.lastname@example.org and indicate the product that you are interested in (title, etc.) and the requested accommodation(s): Audio/Visual/Other. A member of our team will be in contact with you promptly to make sure we meet your needs appropriately.