SOC 2® + Additional Subject Matter 


A service organization may request that the service auditor’s report address either criteria in addition to the applicable trust services criteria or additional subject matter related to the service organization’s services using additional suitable criteria related to that subject matter, or both. In the following table, rows 1–4 provide examples of engagements to report on subject matter in addition to management’s description of a service organization’s system, and row 5 provides an example of an engagement to report on the same subject matter (no additional subject matter) based on additional criteria:

Additional Subject Matter and Additional Criteria

What Is the Additional Subject Matter? What Are the Additional Criteria? Example of the Engagement
1. Description of the physical characteristics of a service organization’s facilities Completeness

Accuracy

Criteria specified by an outside party

Reporting on a detailed description of the physical characteristics of a service organization’s facilities (for example, square footage) in addition to reporting on controls at the service organization relevant to the security of the system based on the trust services criteria for security
2. Historical data related to the availability of computing resources Completeness

Accuracy

Reporting on historical data regarding the availability of computing resources at a service organization in addition to reporting on controls at the service organization relevant to the availability of the system based on the trust services criteria for availability
3. Compliance with a statement of privacy practices Statement of privacy practices Reporting on a service organization’s compliance with a statement of privacy practices in addition to reporting on controls at the service organization relevant to the privacy of the system based on the trust services criteria for privacy
4. N/A Requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification 45 CFR Sections 164.308-316 Reporting on privacy at a service organization based on regulatory requirements (for example, the security requirements under HIPAA), in addition to reporting on controls at the service organization relevant to the privacy of the system based on the trust services criteria for privacy
5. N/A Criteria established by an industry group (such as the Cloud Security Alliance’s Cloud Control Matrix) Reporting on security at a service organization based on criteria established by an industry group (such as the Cloud Security Alliance’s Cloud Control Matrix), in addition to reporting on controls at a service organization relevant to the security of a system based on the trust services criteria for security

In order for a service auditor to report on such additional subject matter or evaluate the subject matter against additional criteria, the service organization provides the following:

  • An appropriate supplemental description of the subject matter
  • A description of the criteria used to measure and present the subject matter
  • If the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter or criteria

The service auditor should perform appropriate procedures related to the additional subject matter or criteria in accordance with clarified Attest Standards and the relevant guidance in the SOC 2 Guide. In accordance with the reporting requirements in the clarified Attest Standards, the service auditor should identify in the service auditor’s report the additional subject matter being reported on or the additional criteria being used to evaluate the subject matter, and should also express an opinion or disclaim an opinion on the additional subject matter. If engaged to do so, the service auditor, may include a description of tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and detailed results of those tests in a section of the report.

Cloud Security Alliance (CSA)

CSA in collaboration with the AICPA, developed a third party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation. STAR Attestation provides a framework for CPAs performing independent assessments of cloud providers using SOC 2® engagements with the CSA’s Cloud Controls Matrix. The AICPA has developed an illustrative SOC 2® Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) to assist CPAs in reporting on the suitability of the design and operating effectiveness of a service organization’s controls relevant to security and availability based on the criteria for security and availability in TSP Section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) and, the suitability of the design and operating effectiveness of its controls in meeting the criteria in the Cloud Security Alliance Cloud Controls Matrix.

HITRUST

The AICPA HITRUST working group, under the direction of the Trust Information Integrity Task Force, collaborated with HITRUST to develop an illustrative SOC 2® report that also incorporates criteria from the HITRUST Common Security Framework (CSF) and FAQs to assist practitioners in the performance of SOC 2® plus HITRUST engagements. HITRUST, a health information trust alliance, established the CSF for use by organizations that create, access, store or exchange personal health and financial information. The CSF is an information security framework that incorporates and leverages existing security requirements, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The working group developed this mapping between the HITRUST CSF version 8 and AICPA’s Trust Services Criteria to enable the service organizations to communicate information about the processes and procedures it uses to meet the HITRUST CSF requirements in addition to the applicable trust services criteria, increasing transparency and information for decision making. The mapping is also provided to help service auditors achieve efficiencies by designing audit procedures that enable the service auditor to evaluate controls based on both sets of criteria. The use of the mapping should reduce inefficiencies that could occur if one set of audit procedures was designed and executed for the HITRUST CSF and an entirely separate set of audit procedures were designed and executed for the Trust Services Criteria.




Copyright © 2006-2017 American Institute of CPAs.