United States

SOC update: What recent changes mean for your internal control reporting


As security concerns rise, service organization control (SOC) reports are in much higher demand for proof of internal control strength. Whether you provide SOC reports to clients, or review reports from vendors, recent updates affect how control environments are communicated. Learn what these changes can mean for your organization and how to adjust your SOC strategy.

SOC 2 report demand

The market demand for SOC 2 reports is increasing at a rapid pace. We have witnessed more and more demand for controls reporting; especially the SOC 2 report. This interest is a result of various security breaches in the headlines, and as vendor compliance programs are enhanced from these concerns to require SOC reports versus the standard control questionnaires.

If your organization is providing, or plans to provide, services to other large businesses, expect to receive requests for a controls report. Therefore, we recommend reviewing your organization’s business strategy to determine if a SOC report is an appropriate investment for your future client base or an initiative to differentiate your organization from your competition. In addition, if you currently have a SOC 1, you may receive requests to provide a SOC 2 as well, to demonstrate controls to protect your client’s data.

SOC 3 seal program

The AICPA and CPA Canada are no longer supporting the SOC 3 seal program. Any engagements that are currently in progress, including renewals for existing SOC 3 seals, will continue through Dec. 31, 2014. The market demand was limited for the seal program, and with the SOC logo program in place, the organizations decided to discontinue the seal program. The cessation of the seal program does not impact the performance of SOC 3 engagements, nor the issuance of SOC 3 reports by practitioners.

Updates to the AICPA Trust Services Principles and Criteria

The AICPA has issued the updated Trust Services Principles and Criteria that will change the current structure of the various criteria. Thus, if you currently perform a SOC 2 or 3 report, you should invest some effort to begin to map your existing controls to the suggested criteria to ensure your organization has the appropriate controls designed to achieve the criteria. If you do not currently have a SOC 2 or 3 report, but you’re starting to prepare for a future report (periods ending on or after Dec. 15, 2014), we recommend utilizing the new criteria.

If you review SOC 2 or 3 reports as part of your organization’s vendor compliance program, you can identify which criteria are being utilized by the reference of TSP 100 (new standard) or TSP 100A (prior criteria). 



How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




Cybersecurity lunch and learn: Shedding light on the dark web

  • March 21, 2018


Meet RSM at the 2018 IIA GAM Conference

  • March 12, 2018


2018 economic and risk outlook webcast

  • February 20, 2018


AML and regulatory compliance webcast series: Winter 2018

  • February 13, 2018


Cybersecurity risks for employee benefit plans

  • January 11, 2018