Insights and Resources

AICPA - New Service Organization Controls (SOC) Guidance

ARTICLE | March 15, 2023

Authored by RSM US LLP

What could updated SOC 2 and 3 guidance mean for your organization?

The AICPA recently released updated guidance to assist teams in implementing System and Organization Controls (SOC) 2 and 3 reports. While the new guidance is generally directed toward the service auditors that perform SOC engagements, any service organizations that produce these reports for their customers should familiarize themselves with the new guidance to understand the impacts on their existing reports.

These changes are designed to adapt to evolving threats and dynamics in the marketplace and ultimately improve the strength of the SOC reports. The AICPA guidance does not necessarily include any new requirements, but it does provide new implementation guidance and focus points for meeting the requirements of the attestation standards.

The AICPA has released a new reporting guide, as well as description criteria with revised implementation guidance and Trust Services Criteria with revised focus points. The new implementation guidelines are already in effect, with all reporting periods after Oct. 15, 2022, subject to the updated documentation.  

Inside the AICPA updates

How you apply the guidance for SOC reporting may change. It may take more time, and processes may require more attention without proper preparation. Your organization needs to be ready if a SOC engagement needs to be performed differently under the new guidance.

The new implementation guidance provides factors to consider when judging the extent of disclosures and necessary controls relevant to certain Trust Services Criteria. Two significant updates include guidance for when additional security frameworks are included within an organization’s service commitments or system requirements and disclosing if the organization is a data controller and/or data processor when using the privacy category.

The various guidance revisions did not alter the current criteria in the 2017 TSC. Therefore, depending on your specific system, your current SOC report may have little to no impact. Organizations should consider these changes when completing their next risk assessment.

Be prepared for potential changes   

If you utilize SOC 2 or 3 reports, you need to understand how changes to the SOC reporting process could affect your organization. The experienced RSM SOC team can provide effective direction to detail any necessary reporting adjustments and help you prepare accordingly.

Contact us to discuss the new guidelines and how to continue to demonstrate your commitment to internal controls, security, and data protection, and leverage the full value of SOC reporting.

Let's Talk!

Call us at +1 213.873.1700, email us at or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by RSM US LLP and originally appeared on 2023-03-15.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.