A service organization may request that the service auditor’s report address either criteria in addition to the applicable trust services criteria or additional subject matter related to the service organization’s services using additional suitable criteria related to that subject matter, or both. In the following table, rows 1–4 provide examples of engagements to report on subject matter in addition to management’s description of a service organization’s system, and row 5 provides an example of an engagement to report on the same subject matter (no additional subject matter) based on additional criteria:
Additional Subject Matter and Additional Criteria
In order for a service auditor to report on such additional subject matter or evaluate the subject matter against additional criteria, the service organization provides the following:
- An appropriate supplemental description of the subject matter
- A description of the criteria used to measure and present the subject matter
- If the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter or criteria
The service auditor should perform appropriate procedures related to the additional subject matter or criteria in accordance with clarified Attest Standards and the relevant guidance in the SOC 2 Guide. In accordance with the reporting requirements in the clarified Attest Standards, the service auditor should identify in the service auditor’s report the additional subject matter being reported on or the additional criteria being used to evaluate the subject matter, and should also express an opinion or disclaim an opinion on the additional subject matter. If engaged to do so, the service auditor, may include a description of tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and detailed results of those tests in a section of the report.
Cloud Security Alliance (CSA)
CSA in collaboration with the AICPA, developed a third party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation. STAR Attestation provides a framework for CPAs performing independent assessments of cloud providers using SOC 2® engagements with the CSA’s Cloud Controls Matrix. The AICPA has developed an illustrative SOC 2®Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) to assist CPAs in reporting on the suitability of the design and operating effectiveness of a service organization’s controls relevant to security and availability based on the criteria for security and availability in TSP Section 100A, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) and, the suitability of the design and operating effectiveness of its controls in meeting the criteria in the Cloud Security Alliance Cloud Controls Matrix.
The AICPA HITRUST working group, under the direction of the Trust Information Integrity Task Force, collaborated with HITRUST to develop an illustrative SOC 2® report that also incorporates criteria from the HITRUST Common Security Framework (CSF) and FAQs to assist practitioners in the performance of SOC 2®plus HITRUST engagements. HITRUST, a health information trust alliance, established the CSF for use by organizations that create, access, store or exchange personal health and financial information. The CSF is an information security framework that incorporates and leverages existing security requirements, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). The working group developed this mapping between the HITRUST CSF version 7 and AICPA’s Trust Services Criteria to enable the service organizations to communicate information about the processes and procedures it uses to meet the HITRUST CSF requirements in addition to the applicable trust services criteria, increasing transparency and information for decision making. The mapping is also provided to help service auditors achieve efficiencies by designing audit procedures that enable the service auditor to evaluate controls based on both sets of criteria. The use of the mapping should reduce inefficiencies that could occur if one set of audit procedures was designed and executed for the HITRUST CSF and an entirely separate set of audit procedures were designed and executed for the Trust Services Criteria.