Earlier this month, the American Institute of Certified Public Accountants (“AICPA”) announced the issuance of its revised SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. The updated SOC 2 guide features insights from Certified Public Accountants (“CPAs”) who perform such engagements. CPAs must apply the updated guidance to SOC 2 reports distributed for reporting periods ending on or after December 16, 2018, with earlier adoption permitted.
The AICPA has also issued the following professional standards related to the description criteria (“DC”) for SOC 2 reports:
- Description Criteria Section 200, Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. The 2018 description criteria for use in a SOC 2 report under DC Section 200 features implementation guidance covering things to consider when determining the nature and level of disclosures essential to each criterion. The guidance includes the description criteria’s availability and suitability; preparing and reviewing the presentation of the description of the service organization’s system; materiality considerations; and description criteria and implementation guidance in columnar format.
When applying this standard, professional judgment should be used when considering the service organization and its environment. Additionally, the guidance should be used alongside the 2017 trust services criteria described in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy in a SOC 2 report.
- DC Section 200A, 2015 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. The 2015 description criteria for use in a SOC 2 report under DC Section 200 replicate paragraphs 1.26–.27 of the 2015 edition of AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2). DC Section 200A should be used with the 2016 trust services criteria under TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016) (AICPA, Trust Services Principles), in a SOC 2 report.
According to DC Section 200A, the 2015 description criteria must be used when preparing a description of the service organization’s system starting December 15, 2018, or before that date (type 1 examination) or a description for periods concluding December 15, 2018, or before that date (type 2 examination). The 2018 description criteria must be used for a description of the service organization’s system on or after December 16, 2018, (type 1 examination) or a system description for periods concluding on or after that date (type 2 examination).
In the transition period between both standards, management should note in the description if the 2018 or 2015 description criteria was used.