SOC 2 Service Providers: What’s New from Your Auditor?
The updated SOC 2 guide gave us clarifications and examples on how we assess your implementation of the SOC 2 standards.
The SOC 2 guide includes:
- Updates to reflect the new requirements and guidance of SSAE No. 20 and SSAE No. 21.
- Insight from expert authors in the SOC 2 Working Group, which consists of CPAs who perform SOC 2 engagements.
- Updated guidance on risk assessment and qualitative materiality assessments.
- A new illustrative report that may be used when performing and reporting on a SOC 2+ examination.
- New implementation guidance on appropriate use of the 2017 trust services criteria (with revised focus points from 2022) and the 2018 description criteria (with revised implementation guidance from 2022).
- Updated illustrative reports.
Key topics included in the guide:
- Assertion-based examination of a service organization’s description of its system and controls relevant to security, availability, processing integrity, confidentiality or privacy.
- Applying the 2017 trust services criteria (with revised focus points of focus from 2022) when evaluating control design and effectiveness.
- Using the 2018 description criteria (with revised implementation guidance from 2022) for evaluating management’s description of the service organization’s system.
Companies Who Use SOC 2 Reports: What’s New for You?
Increases in Report Transparency
The guide offers those who provide a SOC 2 report more detailed guidance on the type of information they may include within their SOC 2 system description. These include:
- Guidance on the nature and extent of information to include when describing the in-scope components of the IT environment (e.g., software, infrastructure, data).
- Guidance on other areas within the description where service organizations might need to provide certain organization-specific content (e.g., system incidents).
Emphasis on Specific Examination Procedures
The guide adds clarity around several existing service auditor procedures, which might result in enhanced examination procedures and updates to the report. Some examples include:
|Updated Guidance Description||Potential Impact|
|Completeness and Accuracy of Information Provided or Produced by the Entity (IPE)||Auditors may enhance the level of evidence they require from the service organization, especially around areas such as the completeness and accuracy of populations which are used as a basis for sampling.|
|Inherent Risks||Auditors may ask service organizations more questions about these inherent risk areas and place more emphasis on them when planning their examinations than they have in the past.|
|Vendor Risk Management Performed by the Service Organization||Service organizations may need to enhance their vendor risk management procedures.|
At Moore Colson, our Risk Advisory and Compliance Services (RACS) team is dedicated to providing high-quality SOC attestation services. We can assist you with the following, while considering the impact of the updated SOC 2 guide.
- Understanding aspects of your control environment, risk assessment process, information and communication system, and monitoring of controls relevant to the services provided to user entities.
- Mapping your controls in consideration of the new implementation guidance related to the Description Criteria and Trust Services Criteria.
- Identifying any reporting gaps.
- Developing a SOC 2 reporting plan for the new requirements.
- Issuing a SOC 2 Type 1 or Type 2 report.
If you have any questions about how the updated SOC 2 guide will affect your organization, we can help. Don’t hesitate to contact us for more information.