This resource presents criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system.
The guidance was established by the AICPA Assurance Services Executive Committee (ASEC), and is necessary when performing SOC 2® and SOC 3® engagements.
- Restructures and creates a new set of privacy criteria, offering a complete set of privacy criteria consisting of the common criteria plus the additional privacy criteria.
- • Revises Appendix B, “Illustration of Risks and Controls for Sample Entity” to include the additional privacy criteria and examples of risks that may prevent the privacy criteria from being met as well as controls designed to address those risks. Additionally, certain revisions have been made to the illustrative risks and controls for the common criteria to conform to the additional privacy criteria.
- Modifies criteria CC3.1 and CC3.2 to clarify that the potential threats include those arising from the use of vendors and other third parties providing goods and services as well as threats arising from customer personnel and others with access to the system. Additionally, criterion CC3.3 was merged into CC3.1 and CC3.2 and eliminated for redundancy.
- Adds two new confidentiality criteria, C1.7 and C1.8, to address the retention and disposal of confidential information.
- Maps the new trust services privacy criteria to the extant generally accepted privacy principles
Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting Guide
The SOC 1® guide is designed to assist CPAs in transitioning from performing a service auditor’s engagement under Statement on Auditing Standards (SAS) No. 70, Service Organizations, to doing so under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, which replaces the guidance for service auditors in SAS No. 70.
|Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®)
The SOC 2®guide provides “how-to” guidance for service auditors performing examinations under AT section 101, Attest Engagements (AICPA, Professional Standards), to report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy. It includes a new comprehensive illustrative type 2 SOC 2® report and expanded information on unique challenges and risks service auditor will encounter in performing SOC 2® or SOC 3®engagements for cloud computing service organizations.
This 2016 edition of AICPA Codification of Statement on Standards for Attestation Engagement includes the newly clarified Statements on Standards for Attestation Engagements in SSAE No. 18, Attestation Standards: Clarification and Recodification. Redrafted in accordance with the clarity drafting conventions and differentiated from the extant standards by using the identifier “AT-C”, the attestation standards are easier to read, understand, and apply by establishing objectives and definitions in each AT-C section, and separating requirements from application and other explanatory material.
Some of the more significant changes introduced by SSAE No. 18 include (among other changes):
- Separation of procedural and reporting requirements for review engagements from their counterparts for examination engagements
- Required representation letters
- More robust risk assessment for examination engagements SSAE
No. 18 supersedes all of the extant attestation standards with the following exceptions:
- AT 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements
- AT 701, Management’s Discussion and Analysis