AICPA - New System and Organization Controls (SOC) guidance

Mar 15, 2023
Risk consulting Business risk consulting AICPA matters

What could updated SOC 2 and 3 guidance mean for your organization?

The AICPA recently released updated guidance to assist teams in implementing System and Organization Controls (SOC) 2 and 3 reports. While the new guidance is generally directed toward the service auditors that perform SOC engagements, any service organizations that produce these reports for their customers should familiarize themselves with the new guidance to understand the impacts on their existing reports.

These changes are designed to adapt to evolving threats and dynamics in the marketplace and ultimately improve the strength of the SOC reports. The AICPA guidance does not necessarily include any new requirements, but it does provide new implementation guidance and focus points for meeting the requirements of the attestation standards.

The AICPA has released a new reporting guide, as well as description criteria with revised implementation guidance and Trust Services Criteria with revised focus points. The new implementation guidelines are already in effect, with all reporting periods after Oct. 15, 2022, subject to the updated documentation.  

Inside the AICPA updates

How you apply the guidance for SOC reporting may change. It may take more time, and processes may require more attention without proper preparation. Your organization needs to be ready if a SOC engagement needs to be performed differently under the new guidance.

The new implementation guidance provides factors to consider when judging the extent of disclosures and necessary controls relevant to certain Trust Services Criteria. Two significant updates include guidance for when additional security frameworks are included within an organization’s service commitments or system requirements and disclosing if the organization is a data controller and/or data processor when using the privacy category.

The various guidance revisions did not alter the current criteria in the 2017 TSC. Therefore, depending on your specific system, your current SOC report may have little to no impact. Organizations should consider these changes when completing their next risk assessment.

Be prepared for potential changes   

If you utilize SOC 2 or 3 reports, you need to understand how changes to the SOC reporting process could affect your organization. The experienced RSM SOC team can provide effective direction to detail any necessary reporting adjustments and help you prepare accordingly.

Contact us to discuss the new guidelines and how to continue to demonstrate your commitment to internal controls, security, and data protection, and leverage the full value of SOC reporting.

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.