AICPA - New System and Organization Controls (SOC) guidance

ARTICLE | March 15, 2023

Authored by RSM US LLP

What could updated SOC 2 and 3 guidance mean for your organization?

The AICPA recently released updated guidance to assist teams in implementing System and Organization Controls (SOC) 2 and 3 reports. While the new guidance is generally directed toward the service auditors that perform SOC engagements, any service organizations that produce these reports for their customers should familiarize themselves with the new guidance to understand the impacts on their existing reports.

These changes are designed to adapt to evolving threats and dynamics in the marketplace and ultimately improve the strength of the SOC reports. The AICPA guidance does not necessarily include any new requirements, but it does provide new implementation guidance and focus points for meeting the requirements of the attestation standards.

The AICPA has released a new reporting guide, as well as description criteria with revised implementation guidance and Trust Services Criteria with revised focus points. The new implementation guidelines are already in effect, with all reporting periods after Oct. 15, 2022, subject to the updated documentation.

Inside the AICPA updates

How you apply the guidance for SOC reporting may change. It may take more time, and processes may require more attention without proper preparation. Your organization needs to be ready if a SOC engagement needs to be performed differently under the new guidance.

The new implementation guidance provides factors to consider when judging the extent of disclosures and necessary controls relevant to certain Trust Services Criteria. Two significant updates include guidance for when additional security frameworks are included within an organization’s service commitments or system requirements and disclosing if the organization is a data controller and/or data processor when using the privacy category.

The various guidance revisions did not alter the current criteria in the 2017 TSC. Therefore, depending on your specific system, your current SOC report may have little to no impact. Organizations should consider these changes when completing their next risk assessment.

Be prepared for potential changes

If you utilize SOC 2 or 3 reports, you need to understand how changes to the SOC reporting process could affect your organization. The experienced RSM SOC team can provide effective direction to detail any necessary reporting adjustments and help you prepare accordingly.

Contact us to discuss the new guidelines and how to continue to demonstrate your commitment to internal controls, security, and data protection, and leverage the full value of SOC reporting.

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/aicpa-new-service-organization-controls-soc-guidance.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.