A service organization may engage the service auditor to examine and report on subject matters in addition to the description of the service organization’s system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable trust services criteria. In that case, the service auditor would also examine and report on whether the additional subject matter is presented in accordance with the additional suitable criteria used to evaluate it. The following table provides examples of additional subject matters and additional criteria that may be used to evaluate them.
Additional Subject Matter and Additional Criteria
A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following:
- An appropriate description of the subject matter
- A description of the criteria identified by management used to measure and present the subject matter
- If the criteria are related to controls, a description of the controls intended to meet the control-related criteria
- An assertion by management regarding the additional subject matter or criteria
The service auditor should perform procedures to obtain sufficient appropriate evidence related to the additional subject matter or criteria in accordance with AT-C section 205 and the relevant guidance in the SOC 2 guide. In accordance with the reporting requirements in AT-C section 205, the service auditor should identify in the service auditor’s report the additional subject matter being reported on or the additional criteria being used to evaluate the subject matter and report on the additional subject matter.
In some situations, the service auditor may be requested to also include in the report a description of the service auditor’s tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and the detailed results of those tests. In that case, paragraph .A85 of AT-C section 205 provides the following factors for the service auditor to consider before agreeing to include such information in the report:
- Whether such a description is likely to overshadow the service auditor’s overall opinion, which may cause report users to misunderstand the opinion
- Whether the parties making the request have an appropriate business need or reasonable basis for requesting the information (for example, the specified parties are required to maintain and monitor controls that either encompass or are dependent on controls that are the subject of an examination and, therefore, need information about the tests of controls to enable them to have a basis for concluding that they have met the requirements applicable to them)
- Whether the parties understand the nature and subject matter of the engagement and have experience in using the information in such reports
- Whether the service auditor’s procedures relate directly to the subject matter of the engagement
If the service auditor believes that the addition of a description of tests of controls or procedures performed and the results thereof in a separate section of the report is likely to increase the potential for the report to be misunderstood by the requesting parties, the service auditor may decide to add an alert paragraph that restricts the use of the report to the parties making the request. Chapter 4 of the SOC 2 guide discusses the requirements for an alert paragraph in further detail.
Cloud Security Alliance (CSA)
CSA in collaboration with the AICPA, developed a third party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation. STAR Attestation provides a framework for CPAs performing independent assessments of cloud providers using SOC 2® engagements with the CSA’s Cloud Controls Matrix. The AICPA has developed an illustrative SOC 2®Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) to assist CPAs in reporting on the suitability of the design and operating effectiveness of a service organization’s controls relevant to security and availability based on the criteria for security and availability in TSP Section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) and, the suitability of the design and operating effectiveness of its controls in meeting the criteria in the Cloud Security Alliance Cloud Controls Matrix.
The AICPA HITRUST working group, under the direction of the Trust Information Integrity Task Force, collaborated with HITRUST to develop an illustrative SOC 2® report that also incorporates criteria from the HITRUST Common Security Framework (CSF) and FAQs to assist practitioners in the performance of SOC 2®plus HITRUST engagements. HITRUST, a health information trust alliance, established the CSF for use by organizations that create, access, store or exchange personal health and financial information. The CSF is an information security framework that incorporates and leverages existing security requirements, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The working group developed this mapping between the HITRUST CSF version 7 and AICPA’s Trust Services Criteria to enable the service organizations to communicate information about the processes and procedures it uses to meet the HITRUST CSF requirements in addition to the applicable trust services criteria, increasing transparency and information for decision making. The mapping is also provided to help service auditors achieve efficiencies by designing audit procedures that enable the service auditor to evaluate controls based on both sets of criteria. The use of the mapping should reduce inefficiencies that could occur if one set of audit procedures was designed and executed for the HITRUST CSF and an entirely separate set of audit procedures were designed and executed for the Trust Services Criteria.