AICPA’s Updated SOC 2® Guide Offers Direction on Examinations and Addresses Common Practice Issues

March 13, 2018

NEW YORK (March 13, 2018) - The American Institute of CPAs (AICPA) has updated its System and Organization Controls (SOC) 2 guide. The newly-revised SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy reflects lessons learned in practice and contains insights from CPAs who perform these engagements.

SOC for Service Organization engagements are internal control reports on the services provided by an organization providing valuable information that users need to assess and address the risks associated with an outsourced service. “SOC 2 provides greater transparency, allowing user organizations to have trust and confidence in the ability of the service organization to carry out its mission,” said Erin Mackler, CPA, CGMA, AICPA director of assurance and advisory services, SOC Reporting. “It also allows companies to manage the risk associated with outsourced systems.”

The updated guide includes relevant advice contained in applicable standards and other technical sources. It explains the relationship between a service organization and its user entities, provides examples of service organizations, offers the criteria to be used to prepare the description of the service organization’s system, identifies the trust services criteria to be used to evaluate the design and operating effectiveness of controls, and explains the difference between a type 1 and type 2 SOC 2 report.

The guide contains illustrative reports for CPAs engaged to examine and report on system and organization controls. There is a new appendix for performing and reporting on a SOC 2 examination in accordance with International Standards on Assurance Engagements (ISAEs) or in accordance with both the AICPA’s attestation standards and the ISAEs.

“CPAs play a critical role in helping service organizations demonstrate the effectiveness of controls relevant to security, availability, confidentiality, processing integrity, and privacy through SOC 2 reporting,” said Tanya Hale, CPA, AICPA senior manager SOC Reporting - Service Organizations. “This updated guide provides CPAs with essential information for performing and reporting on SOC 2 examinations in accordance with the latest relevant standards and criteria.”

The updated guide is available now in paperback, e-book, and with an online subscription.