Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    From $11.99/month after trial. Cancel anytime.

    Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
    Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
    Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
    Ebook1,022 pages13 hours

    Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

    By AICPA

    ()

    Read preview

    About this ebook

    Updated as of January 1, 2018, this guide includes relevant guidance contained in applicable standards and other technical sources. It explains the relationship between a service organization and its user entities, provides examples of service organizations, describes the description criteria to be used to prepare the description of the service organization’s system, identifies the trust services criteria as the criteria to be used to evaluate the design and operating effectiveness of controls, explains the difference between a type 1 and type 2 SOC 2 report, and provides illustrative reports for CPAs engaged to examine and report on system and organization controls at a service organization. It also describes the matters to be considered and procedures to be performed by the service auditor in planning, performing, and reporting on SOC 2 and SOC 3 engagements.
    New to this edition are:
    • Updated for SSAE No. 18 (clarified attestation standards),  this guide has been fully conformed to reflect lessons learned in practice
    • Contains insight from expert authors on the SOC 2 working group composed of CPAs who perform SOC 2 and SOC 3 engagements
    • Includes illustrative report paragraphs describing the matter that gave rise to the report modification for a large variety of situations
    • Includes a new appendix for performing and reporting on a SOC 2 examination in accordance with International Standards on Assurance Engagements (ISAEs) or in accordance with both the AICPA’s attestation standards and the ISAEs
    LanguageEnglish
    PublisherWiley
    Release dateMar 26, 2018
    ISBN9781945498619
    Guide: SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy

    Read more from Aicpa

    Related to Guide

    Related ebooks

    Auditing For You

    View More
    View More

    Related podcast episodes

    Related articles

    • UNLIMITED

      Compliance Is Riskier Than Ever

      Jan 31, 2020

      Compliance Is Riskier Than Ever
      4 min read

    • UNLIMITED

      Data Security Standards

      Aug 24, 2021

      A lot of engineers like to rail against standards as pointless box-checking and in some cases they are. Especially when it comes to things like PCI-DSS. Fundamentally, any engineer can look at PCI-DSS and say honestly that it’s obvious, and that all

      1 min read

    • UNLIMITED

      Data Compliance Checklist

      May 15, 2019

      People had a lot to say about Google’s January AU$80 million fine for breaching the General Data Protection Regulation (GDPR) – and rightly so. It was the first time a tech giant suffered a financial penalty under the GDPR. The fine served as a signa

      3 min read

    • UNLIMITED

      Financial Services in the New Age

      Mar 22, 2024

      Nearly every sector we know of is undergoing deep-rooted change thanks to rapid technological developments. The banking and financial services industry is no exception. In these changing times, where the use of Generative AI (Gen AI) is becoming wide

      2 min read

    • UNLIMITED

      New-age Banking

      May 14, 2020

      New-age Banking
      3 min read

    • UNLIMITED

      Privacy: The Price Of Trust

      Aug 17, 2021

      How will cybersecurity and data privacy evolve over the next decade? We’re hearing from our customers that cybersecurity and data privacy are increasingly becoming board-level conversations. Companies will start to think about privacy, security, vend

      1 min read

    • UNLIMITED

      Industry Assurance Schemes

      Dec 16, 2019

      Industry Assurance Schemes
      4 min read

    • UNLIMITED

      APRA ‘Can Do Better’ To Protect Our Finances

      Sep 4, 2019

      The Australian Prudential Regulation Authority (APRA) must escalate its focus on superannuation member outcomes if it’s going to meet the community’s heightened expectations of the regulator’s role. This is a key finding of the recent APRA Capability

      1 min read

    • UNLIMITED

      Be Prepared

      Aug 19, 2019

      Be Prepared
      3 min read

    • UNLIMITED

      Back to Part 61

      Feb 17, 2022

      Back to Part 61
      3 min read

    • UNLIMITED

      A Commitment To Best Practice

      Feb 10, 2020

      Few retailers or brand owners will consider doing business with a supplier that does not have certification to a global standard. Certification helps a business improve its product, management systems, quality control and overall competitiveness. The

      2 min read

    • UNLIMITED

      Compulsory Medicals

      Aug 11, 2019

      A RECENT MEMBER inquiry was: do I have the right to require my employee to undergo a medical examination? Increasingly NatRoad is assisting members with inquiries about issues associated with fitness for work. One in four transport workers is over 55

      2 min read

    • UNLIMITED

      ‘Bumping’ And Retrenchment

      May 27, 2022

      In South Africa’s current economic climate, many employers are struggling to stay competitive and profitable, and must consider various options to adapt their businesses accordingly. Retrenchment is one such solution. Simply put, it is a no-fault dis

      2 min read

    • UNLIMITED

      Know Before Your Inspection

      Jun 22, 2020

      Know Before Your Inspection
      2 min read

    Related categories

    Reviews for Guide

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      Guide - AICPA

      Title PageCopyright Page

      Preface

      (Updated as of January 1, 2018)

      About AICPA Guides

      This AICPA Guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, has been developed by members of the AICPA Assurance Services Executive Committee’s (ASEC’s) SOC 2® Working Group, in conjunction with members of the Auditing Standards Board (ASB), to assist practitioners engaged to examine and report on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy.

      This AICPA Guide includes certain content presented as Supplement or Appendix. A supplement is a reproduction, in whole or in part, of authoritative guidance originally issued by a standard-setting body (including regulatory bodies) and is applicable to entities or engagements within the purview of that standard setter, independent of the authoritative status of the applicable AICPA Guide. Appendixes are included for informational purposes and have no authoritative status.

      An AICPA Guide containing attestation guidance is recognized as an interpretive publication as described in AT-C section 105, Concepts Common to All Attestation Engagements.1 Interpretative publications are recommendations on the application of Statements on Standards for Attestation Engagements (SSAEs) in specific circumstances, including engagements for entities in specialized industries. Interpretive publications are issued under the authority of the ASB. The members of the ASB have found the attestation guidance in this guide to be consistent with existing SSAEs.

      A practitioner should be aware of and consider the guidance in this guide that is applicable to his or her attestation engagement. If the practitioner does not apply the attestation guidance included in an applicable AICPA Guide, the practitioner should be prepared to explain how he or she complied with the SSAE provisions addressed by such attestation guidance.

      Any attestation guidance in a guide appendix, although not authoritative, is considered an other attestation publication. In applying such guidance, the practitioner should, exercising professional judgment, assess the relevance and appropriateness of such guidance to the circumstances of the engagement. Although the practitioner determines the relevance of other attestation guidance, such guidance in a guide appendix has been reviewed by the AICPA Audit and Attest Standards staff and the practitioner may presume that it is appropriate.

      The ASB is the designated senior committee of the AICPA authorized to speak for the AICPA on all matters related to attestation. Conforming changes made to the attestation guidance contained in this guide are approved by the ASB Chair (or his or her designee) and the Director of the AICPA Audit and Attest Standards Staff. Updates made to the attestation guidance in this guide exceeding that of conforming changes are issued after all ASB members have been provided an opportunity to consider and comment on whether the guide is consistent with the SSAEs.

      Purpose and Applicability

      This guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, provides guidance to practitioners engaged to examine and report on a service organization’s controls over one or more of the following:

      The security of a service organization’s system

      The availability of a service organization’s system

      The processing integrity of a service organization’s system

      The confidentiality of the information that the service organization’s system processes or maintains for user entities

      The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities

      In April 2016, the ASB issued SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105 and AT-C section 205, Examination Engagements. AT-C sections 105 and 205 establish the requirements and application guidance for reporting on a service organization’s controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy.

      The attestation standards enable a practitioner to report on subject matter other than historical financial statements. A practitioner may be engaged to examine and report on controls at a service organization related to various types of subject matter (for example, controls that affect user entities’ financial reporting or the privacy of information processed for user entities’ customers).

      Defining Professional Responsibilities in AICPA Professional Standards

      AICPA professional standards applicable to attestation engagements use the following two categories of professional requirements, identified by specific terms, to describe the degree of responsibility they impose on a practitioner:

      Unconditional requirements. The practitioner must comply with an unconditional requirement in all cases in which such requirement is relevant. The attestation standards use the word must to indicate an unconditional requirement.

      Presumptively mandatory requirements. The practitioner must comply with a presumptively mandatory requirement in all cases in which such requirement is relevant; however, in rare circumstances, the practitioner may judge it necessary to depart from the requirement. The need for the practitioner to depart from a relevant presumptively mandatory requirement is expected to arise only when the requirement is for a specific procedure to be performed and, in the specific circumstances of the engagement, that procedure would be ineffective in achieving the intent of the requirement. In such circumstances, the practitioner should perform alternative procedures to achieve the intent of that requirement and should document the justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of the requirement. The attestation standards use the word should to indicate a presumptively mandatory requirement.

      References to Professional Standards

      In citing attestation standards and their related interpretations, references to standards that have been codified use section numbers within the codification of currently effective SSAEs and not the original statement number.

      Changes to the Attestation Standards Introduced by SSAE No. 18

      Restructuring of the Attestation Standards

      The attestation standards provide for three types of services—examination, review, and agreed-upon procedures engagements. SSAE No. 18 restructures the attestation standards so that the applicability of any AT-C section to a particular engagement depends on the type of service provided and the subject matter of the engagement.

      AT-C section 105 contains requirements and application guidance applicable to any attestation engagement. AT-C section 205, AT-C section 210, Review Engagements, and AT-C section 215, Agreed-Upon Procedures Engagements, each contain incremental requirements and application guidance specific to the level of service performed. The applicable requirements and application guidance for any attestation engagement are contained in at least two AT-C sections: AT-C section 105 and either AT-C section 205, 210, or 215, depending on the level of service provided.

      In addition, incremental requirements and application guidance unique to four subject matters are included in the subject matter AT-C sections. Those sections are AT-C section 305, Prospective Financial Information, AT-C section 310, Reporting on Pro Forma Financial Information, AT-C section 315, Compliance Attestation, and AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. The applicable requirements and application guidance for an engagement to report on any of these subject matters are contained in three AT-C sections: AT-C section 105; AT-C section 205, 210, or 215, depending on the level of service provided; and the applicable subject matter section.

      To avoid repetition, the requirements and application guidance in AT-C section 105 are not repeated in the level of service sections or in the subject matter sections, and the requirements and application guidance in the level of service sections are not repeated in the subject matter sections, except for repetition of the basic report elements for the particular subject matter.

      Practitioner Is Required to Request a Written Assertion

      In all attestation engagements, the practitioner is required to request from the responsible party a written assertion about the measurement or evaluation of the subject matter against the criteria. In examination and review engagements, when the engaging party is also the responsible party, the responsible party’s refusal to provide a written assertion requires the practitioner to withdraw from the engagement when withdrawal is possible under applicable laws and regulations. In examination and review engagements, when the engaging party is not the responsible party, the responsible party’s refusal to provide a written assertion requires the practitioner to disclose that refusal in the practitioner’s report and restrict the use of the report to the engaging party. In an agreed-upon procedures engagement, the responsible party’s refusal to provide a written assertion requires the practitioner to disclose that refusal in the practitioner’s report.

      Risk Assessment in Examination Engagements

      SSAE No. 18 incorporates a risk assessment model in examination engagements. In examination engagements, the practitioner is required to obtain an understanding of the subject matter that is sufficient to enable the practitioner to identify and assess the risks of material misstatement in the subject matter and provide a basis for designing and performing procedures to respond to the assessed risks.

      Incorporates Certain Requirements Contained in the Auditing Standards

      SSAE No. 18 incorporates a number of detailed requirements that are similar to those contained in the Statements on Auditing Standards, such as the requirement to obtain a written engagement letter and to request written representations. SSAE No. 18 includes these requirements based on the ASB’s belief that a service that results in a level of assurance similar to that obtained in an audit or review of historical financial statements should generally consist of similar requirements.

      Separate Discussion of Review Engagements

      SSAE No. 18 separates the detailed procedural and reporting requirements for review engagements from their counterparts for examination engagements. The resulting guidance more clearly differentiates the two services.

      Convergence

      It is the ASB’s general strategy to converge its standards with those of the International Auditing and Assurance Standards Board. Accordingly, the foundation for AT-C sections 105, 205, and 210 is International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. Many of the paragraphs in SSAE No. 18 have been converged with the related paragraphs in ISAE 3000 (Revised), with certain changes made to reflect U.S. professional standards. Other content included in this statement is derived from the extant SSAEs. The ASB decided not to adopt certain provisions of ISAE 3000 (Revised); for example, a practitioner is not permitted to issue an examination or review report if the practitioner has not obtained a written assertion from the responsible party, except when the engaging party is not the responsible party. In the ISAEs, an assertion (or representation about the subject matter against the criteria) is not required in order for the practitioner to report.

      Examinations of System and Organization Controls: SOC Suite of Services

      In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide relating to system-level controls of a service organization or system- or entity-level controls of other organizations. Formerly, SOC referred to service organization controls. By redefining that acronym, the AICPA enables the introduction of new internal control examinations that may be performed (a) for other types of organizations, in addition to service organizations, and (b) on either system-level or entity-level controls of such organizations. This guide, SOC 2® Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, is an interpretation of AT-C section 105 and AT-C section 205 that assists CPAs in reporting on the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed by the system. This engagement is referred to as SOC 2®—SOC for Service Organizations: Trust Services Criteria. Other SOC engagements include the following:

      SOC 1®—SOC for Service Organizations: ICFR. Service organizations may provide services that are relevant to their customers’ internal control over financial reporting and, therefore, to the audit of financial statements. The requirements and guidance for performing and reporting on such controls is provided in AT-C section 320. The AICPA Guide Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®) is an interpretation of AT-C section 320 that assists CPAs engaged to examine and report on controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting.

      SOC 3®—SOC for Service Organizations: Trust Services Criteria for General Use Report. Similar to a SOC 2® engagement, in a SOC 3® examination the practitioner reports on whether controls within the system were effective to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. Although the requirements and guidance for performing a SOC 3® examination are similar to a SOC 2® examination, the reporting requirements are different. Because of the different reporting requirements, a SOC 2® report is appropriate only for specified parties with sufficient knowledge and understanding of the service organization and the system, whereas a SOC 3® report is ordinarily appropriate for general use.

      SOC for Cybersecurity. As part of an entity’s cybersecurity risk management program, an entity designs, implements, and operates cybersecurity controls. An engagement to examine and report on a description of the entity’s cybersecurity risk management program and the effectiveness of controls within that program is a cybersecurity risk management examination. The requirements and guidance for performing and reporting in a cybersecurity risk management examination are provided in AT-C section 105 and AT-C section 205. The AICPA Guide Reporting on an Entity’s Cybersecurity Risk Management Program and Controls is an interpretation of AT-C section 205 that assists practitioners engaged to examine and report on the description of an entity’s cybersecurity risk management program and the effectiveness of controls within that program.

      This guide focuses on SOC 2® engagements. To make practitioners aware of the various professional standards and guides available to them for examining and reporting on system-level controls at a service organization and entity-level controls at other organizations, and to help practitioners select the appropriate standard or guide for a particular engagement, appendix B, Comparison of SOC 1®, SOC 2®, and SOC 3® Examinations and Related Reports, includes a table that compares the features of the three engagements. Additionally, appendix C, Illustrative Comparison of a SOC 2® Examination and Related Report With the Cybersecurity Risk Management Examination and Related Report, compares the features of a SOC 2® examination and a cybersecurity risk management examination.

      Revisions to Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report

      In February 2018, the AICPA ASEC issued revised description criteria for a description of a service organization’s system in a SOC 2® report, which are codified in DC section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (2018 description criteria).2 The extant description criteria included in paragraphs 1.26–.27 of the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) (2015 description criteria) are now codified in DC section 200A. The 2018 description criteria were established by ASEC for use by service organization management when preparing the description of the service organization’s system and by the service auditors when evaluating whether the description is presented in accordance with the description criteria in a SOC 2® examination.

      ASEC, in establishing and developing these criteria, followed due process procedures, including exposure of the proposed criteria for public comment. Under BL section 360, Committees,3 ASEC has been designated as a senior committee and has been given authority to make public statements and publish measurement criteria without clearance from AICPA Council or the board of directors.

      Revisions to Trust Services Criteria

      In April 2017, ASEC issued revisions to the trust services criteria for security, availability, processing integrity, confidentiality, or privacy. Codified as TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy,4 the revised trust services criteria were established by the ASEC for use by practitioners when providing attestation or consulting services to evaluate controls relevant to the security, availability, or processing integrity of one or more systems, or the confidentiality or privacy of information processed by one or more systems, used by an entity. Management of an entity may also use the trust services criteria to evaluate the suitability of design and operating effectiveness of such controls.

      ASEC, in establishing and developing these criteria, followed due process procedures, including exposure of the proposed criteria for public comment.

      The trust services principles and criteria were revised to do the following:

      Restructure and align the trust services criteria with the Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control—Integrated Framework (COSO framework). ASEC restructured and realigned the trust services criteria to facilitate their use in an entity-wide engagement. Because the COSO framework is a widely used and accepted internal control framework that is intended to be applied to internal control at an entity as a whole or to a segment of an entity, ASEC determined that alignment with that framework was the best way to revise the trust services criteria for use when reporting at an entity level. Therefore, the 2017 trust services criteria align with the 17 principles in the COSO framework.5

      The 2017 trust services criteria may be used to evaluate control effectiveness in examinations of various subject matters. In addition, they may be used to evaluate controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems

      across an entire entity;

      at a subsidiary, division, or operating unit level;

      within a function or system; or

      for a particular type of information used by the entity.

      Rename the trust services principles and criteria. The COSO framework uses the term principles to refer to the elements of internal control that must be present or functioning for the entity’s internal control to be considered effective. To avoid confusion between the terminology used in the COSO framework and that used in the trust services principles and criteria, the latter were renamed as the trust services criteria. In addition, the five principles (security, availability, processing integrity, confidentiality, and privacy) included therein are now referred to as the trust services categories.

      Restructure the criteria and add supplemental criteria to better address cybersecurity risks in engagements using the trust services criteria. The 2017 trust services criteria address risk management, incident management, and certain other areas at a more detailed level than the previous version of the criteria. In addition, the 2017 trust services criteria include new supplemental criteria to address areas that are increasingly important to information security. The new criteria are organized into the following categories:

      Logical and physical access controls. The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access to meet the entity’s objectives addressed by the engagement

      System operations. The criteria relevant to how an entity manages the operation of systems and detects and mitigates processing deviations, including logical and physical security deviations, to meet the entity’s objectives addressed by the engagement

      Change management. The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made, to meet the entity’s objectives addressed by the engagement

      Add points of focus to all criteria. The COSO framework contains points of focus that represent important characteristics of the criteria to help users apply the criteria; thus, those points of focus are included in the revised trust services criteria. In addition, points of focus have been developed for each of the new supplemental criteria described in the previous bullet. Similar to the points of focus included in the COSO framework, the points of focus related to the supplemental criteria also represent important characteristics of those criteria. The points of focus may assist management and the practitioner in evaluating whether the controls are suitably designed and operating effectively; however, use of the criteria does not require management or the practitioner to separately assess whether points of focus are addressed.

      AICPA.org Website

      The AICPA encourages you to visit its website at aicpa.org and the Financial Reporting Center website at www.aicpa.org/frc. The Financial Reporting Center supports members in the execution of high-quality financial reporting. Whether you are a financial statement preparer or a member in public practice, this center provides exclusive member-only resources for the entire financial reporting process, and provides timely and relevant news, guidance, and examples supporting the financial reporting process, including accounting, preparing financial statements, and performing compilation, review, audit, attest, or assurance and advisory engagements. Certain content on the AICPA’s websites referenced in this guide may be restricted to AICPA members only.

      Recognition

      Auditing Standards Board (2016–2017)

      Michael J. Santay, Chair

      Gerry Boaz

      Jay Brodish, Jr.

      Dora Burzenski

      Joseph S. Cascio

      Lawrence Gill

      Steven M. Glover

      Gaylen Hansen

      Tracy Harding

      Daniel J. Hevia

      Ilene Kassman

      Alan Long

      Richard Miller

      Daniel D. Montgomery

      Steven Morrison

      Richard N. Reisig

      Catherine M. Schweigel

      Jere G. Shawyer

      Chad Singletary

      Assurance Services Executive Committee (2016–2017)

      Robert Dohrer, Chair

      Bradley Ames

      Christine M. Anderson

      Bradley Beasley

      Nancy Bumgarner

      Jim Burton

      Chris Halterman

      Mary Grace Davenport

      Jennifer Haskell

      Brad Muniz

      Michael Ptasienski

      Joanna Purtell

      Miklos Vasarhelyi

      ASEC SOC 2® Working Group

      Chris Halterman, Chair

      Efrim Boritz

      Brandon Brown

      Jeff Cook

      Charles Curran

      Peter F. Heuzey

      Eddie Holt

      Audrey Katcher

      Kevin Knight

      Christopher W. Kradjan

      Thomas Patterson

      Binita Pradhan

      John Richardson

      Soma Sinha

      Rod Smith

      David Wood

      AICPA Staff

      Charles E. Landes

      Vice President

      Professional Standards and Services

      Amy Pawlicki

      Vice President

      Assurance and Advisory Innovation

      Erin Mackler

      Director

      Assurance and Advisory Services—SOC Reporting

      Mimi Blanco-Best

      Senior Manager

      Guidance—Assurance and Advisory SOC Reporting

      Tanya Hale

      Senior Manager

      SOC Reporting—Service Organizations

      Nisha Gordhan

      Manager

      Product Management and Development

      Notes

      1 All AT-C sections can be found in AICPA Professional Standards.

      2 DC sections can be found in AICPA Description Criteria.

      3 BL sections can be found in AICPA Professional Standards.

      4 TSP sections can be found in AICPA Trust Services Criteria.

      5 ©2013, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used by permission. See www.coso.org.

      __________________________

      TABLE OF CONTENTS

      1 Introduction and Background

      Introduction

      Intended Users of a SOC 2® Report

      Overview of a SOC 2® Examination

      Contents of the SOC 2® Report

      Definition of a System

      Boundaries of the System

      Time Frame of Examination

      Difference Between Privacy and Confidentiality

      Criteria for a SOC 2® Examination

      The Service Organization’s Service Commitments and System Requirements

      SOC 2® Examination That Addresses Additional Subject Matters and Additional Criteria

      SOC 3® Examination

      Other Types of SOC Examinations: SOC Suite of Services

      SOC 1®—SOC for Service Organizations: ICFR

      SOC for Cybersecurity

      Professional Standards

      Attestation Standards

      Code of Professional Conduct

      Quality in the SOC 2® Examination

      Definitions

      2 Accepting and Planning a SOC 2® Examination

      Introduction

      Understanding Service Organization Management’s Responsibilities

      Management Responsibilities Prior to Engaging the Service Auditor

      Management Responsibilities During the Examination

      Management’s Responsibilities During Engagement Completion

      Responsibilities of the Service Auditor

      Engagement Acceptance and Continuance

      Independence

      Competence of Engagement Team Members

      Preconditions of a SOC 2® Engagement

      Determining Whether the Subject Matter Is Appropriate for the SOC 2® Examination

      Determining Whether Management Is Likely to Have a Reasonable Basis for Its Assertion

      Assessing the Suitability and Availability of Criteria

      Assessing the Appropriateness of the Service Organization’s Principal Service Commitments and System Requirements Stated in the Description

      Requesting a Written Assertion and Representations From Service Organization Management

      Agreeing on the Terms of the Engagement

      Accepting a Change in the Terms of the Examination

      Additional Considerations for a Request to Extend or Modify the Period Covered by the Examination

      Establishing an Overall Examination Strategy for and Planning the Examination

      Planning Considerations When the Inclusive Method Is Used to Present the Services of a Subservice Organization

      Considering Materiality During Planning

      Performing Risk Assessment Procedures

      Obtaining an Understanding of the Service Organization’s System

      Assessing the Risk of Material Misstatement

      Considering Entity-Level Controls

      Understanding the Internal Audit Function

      Planning to Use the Work of Internal Auditors

      Evaluating the Competence, Objectivity, and Systematic Approach Used by Internal Auditors

      Determining the Extent to Which to Use the Work of Internal Auditors

      Coordinating Procedures With the Internal Auditors

      Evaluating Whether the Work of Internal Auditors Is Adequate for the Service Auditor’s Purposes

      Planning to Use the Work of an Other Practitioner

      Planning to Use the Work of a Service Auditor’s Specialist

      Accepting and Planning a SOC 3® Examination

      3 Performing the SOC 2® Examination

      Designing Overall Responses to the Risk Assessment and Obtaining Evidence

      Considering Materiality in Responding to the Assessed Risks and Planning Procedures

      Defining Misstatements in This Guide

      Obtaining and Evaluating Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria

      The Service Organization’s Service Commitments and System Requirements

      Disclosures About Individual Controls

      Disclosures About System Incidents

      Disclosures About Complementary User Entity Controls and User Entity Responsibilities

      Disclosures Related to Subservice Organizations

      Disclosures About Complementary Subservice Organization Controls

      Disclosures About Significant Changes to the System During the Period Covered by a Type 2 Examination

      Changes to the System That Occur Between the Periods Covered by a Type 2 Examination

      Procedures to Obtain Evidence About the Description

      Considering Whether the Description Is Misstated or Otherwise Misleading

      Identifying and Evaluating Description Misstatements

      Materiality Considerations When Evaluating Whether the Description Is Presented in Accordance With the Description Criteria

      Obtaining and Evaluating Evidence About the Suitability of the Design of Controls

      Additional Considerations for Subservice Organizations

      Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion

      Multiple Controls to Achieve the Service Organization’s Service Commitments and Service Requirements Based on the Same Applicable Trust Services Criterion

      Procedures to Obtain Evidence About the Suitability of Design of Controls

      Identifying and Evaluating Deficiencies in the Suitability of Design of Controls

      Obtaining and Evaluating Evidence About the Operating Effectiveness of Controls in a Type 2 Examination

      Designing and Performing Tests of Controls

      Nature of Tests of Controls

      Evaluating the Reliability of Information Produced by the Service Organization

      Timing of Tests of Controls

      Extent of Tests of Controls

      Testing Superseded Controls

      Using Sampling to Select Items to Be Tested

      Selecting Items to Be Tested

      Additional Considerations Related to Risks of Vendors and Business Partners

      Additional Considerations Related to CSOCs

      Considering Controls That Did Not Need to Operate During the Period Covered by the Examination

      Identifying and Evaluating Deviations in the Operating Effectiveness of Controls

      Materiality Considerations When Evaluating the Suitability of Design and Operating Effectiveness of Controls

      Using the Work of the Internal Audit Function

      Using the Work of a Service Auditor’s Specialist

      Revising the Risk Assessment

      Evaluating the Results of Procedures

      Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls

      Known or Suspected Fraud or Noncompliance With Laws or Regulations

      Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies

      Obtaining Written Representations

      Requested Written Representations Not Provided or Not Reliable

      Representations From the Engaging Party When Not the Responsible Party

      Subsequent Events and Subsequently Discovered Facts

      Subsequent Events Unlikely to Have an Effect on the Service Auditor’s Report

      Documentation

      Considering Whether Service Organization Management Should Modify Its Assertion

      4 Forming the Opinion and Preparing the Service Auditor’s Report

      Responsibilities of the Service Auditor

      Forming the Service Auditor’s Opinion

      Concluding on the Sufficiency and Appropriateness of Evidence

      Considering Uncorrected Description Misstatements and Deficiencies

      Expressing an Opinion on Each of the Subject Matters in the SOC 2® Examination

      Describing Tests of Controls and the Results of Tests in a Type 2 Report

      Describing Tests of Controls and Results When Using the Internal Audit Function

      Describing Tests of the Reliability of Information Produced by the Service Organization

      Preparing the Service Auditor’s SOC 2® Report

      Elements of the Service Auditor’s SOC 2® Report

      Requirement to Restrict the Use of the SOC 2® Report

      Reporting When the Service Organization’s Design of Controls Assumes Complementary User Entity Controls

      Reporting When the Service Organization Carves Out the Controls at a Subservice Organization

      Reporting When the Service Auditor Assumes Responsibility for the Work of an Other Practitioner

      Modifications to the Service Auditor’s Report

      Qualified Opinion

      Adverse Opinion

      Scope Limitation

      Disclaimer of Opinion

      Report Paragraphs Describing the Matter Giving Rise to the Modification

      Illustrative Separate Paragraphs When There Are Material Misstatements in the Description

      Illustrative Separate Paragraphs: Material Deficiencies in the Suitability of Controls

      Illustrative Separate Paragraphs: Material Deficiencies in the Operating Effectiveness of Controls

      Other Matters Related to the Service Auditor’s Report

      Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs

      Distribution of the Report by Management

      Service Auditor’s Recommendations for Improving Controls

      Other Information Not Covered by the Service Auditor’s Report

      Illustrative Type 2 Reports

      Preparing a Type 1 Report

      Forming the Opinion and Preparing a SOC 3® Report

      Elements of the SOC 3® Report

      Elements of the Service Auditor’s Report

      Illustrative SOC 3® Management Assertion and Service Auditor’s Report

      Supplement A 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report

      Supplement B Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

      A Information for Service Organization Management

      B Comparison of SOC 1®, SOC 2®, and SOC 3® Examinations and Related Reports

      C Illustrative Comparison of a SOC 2® Examination and Related Report With the Cybersecurity Risk Management Examination and Related Report

      D

      D-1 Illustrative Management Assertion and Service Auditor’s Report for a Type 2 Examination (Carved-Out Controls of a Subservice Organization and Complementary Subservice Organization and Complementary User Entity Controls)

      D-2 Illustrative Service Organization and Subservice Organization Management Assertions and Service Auditor’s Report for a Type 2 Examination (Subservice Organization Presented Using the Inclusive Method and Complementary User Entity Controls)

      D-3 Illustrative Service Auditor’s Report for a Type 2 Examination in Which the Service Auditor Disclaims an Opinion Because of a Scope Limitation

      D-4 Illustrative Type 2 Report (Including Management’s Assertion, Service Auditor’s Report, and the Description of the System)

      E Illustrative Management Assertion and Service Auditor’s Report for a Type 1 Examination

      F Illustrative Management Assertion and Service Auditor’s Report for a SOC 3® Examination

      G

      G-1 Illustrative Management Representation Letter for Type 2 Engagement

      G-2 Illustrative Management Representation Letter for Type 1 Engagement

      H Performing and Reporting on a SOC 2® Examination in Accordance With International Standards on Assurance Engagements (ISAEs) or in Accordance With Both the AICPA’s Attestation Standards and the ISAEs

      I Definitions

      EULA

      Chapter 1

      Introduction and Background

      This chapter explains the relationship between a service organization and its user entities; provides examples of service organizations and the services they may provide; explains the relationship between those services and the system used to provide them; describes the components of a system and its boundaries; identifies the criteria used to evaluate a description of a service organization’s system (description criteria) and the criteria (applicable trust services criteria) used to evaluate whether controls were suitably designed and operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved; and explains the difference between a type 1 and type 2 SOC 2® report.1 It also describes the relationship between a service organization and its business partners and the effect of a service organization’s system on those business partners. In addition, this chapter provides an overview of a SOC 3® examination and other SOC services.

      Introduction

      1.01 Entities often use business relationships with other entities to further their objectives. Network-based information technology has enabled, and telecommunications systems have substantially increased, the economic benefits derived from these relationships. For example, some entities (user entities) are able to function more efficiently and effectively by outsourcing tasks or entire functions to another organization (service organization). A service organization is organized and operated to provide user entities with the benefits of the services of its personnel, expertise, equipment, and technology to help accomplish these tasks or functions. Other entities (business partners) enter into agreements with a service organization that enable the service organization to offer the business partners’ services or assets (for example, intellectual property) to the service organization’s customers. In such instances, business partners may want to understand the effectiveness of controls implemented by the service organization to protect the business partners’ intellectual property.

      1.02 Examples of the types of services provided by service organizations are as follows:

      Customer support. Providing customers of user entities with online or telephonic post-sales support and service management. Examples of these services are warranty inquiries and investigating and responding to customer complaints.

      Health care claims management and processing. Providing medical providers, employers, third-party administrators, and insured parties of employers with systems that enable medical records and related health insurance claims to be processed accurately, securely, and confidentially.

      Enterprise IT outsourcing services. Managing, operating, and maintaining user entities’ IT data centers, infrastructure, and application systems and related functions that support IT activities, such as network, production, security, change management, hardware, and environmental control activities.

      Managed security. Managing access to networks and computing systems for user entities (for example, granting access to a system and preventing, or detecting and mitigating, system intrusion).

      Financial technology (FinTech) services. Providing financial services companies with IT-based transaction processing services. Examples of such transactions are loan processing, peer-to-peer lending, payment processing, crowdfunding, big data analytics, and asset management.

      1.03 Although these relationships may increase revenues, expand market opportunities, and reduce costs for the user entities and business partners, they also result in additional risks arising from interactions with the service organization and its system. Accordingly, the management of those user entities and business partners are responsible for identifying, evaluating, and addressing those additional risks as part of their risk assessment. In addition, although management can delegate responsibility for specific tasks or functions to a service organization, management remains accountable for those tasks to boards of directors, shareholders, regulators, customers, and other affected parties. As a result, management is responsible for establishing effective internal control over interactions between the service organizations and their systems.

      1.04 To assess and address the risks associated with a service organization, its services, and the system used to provide the services, user entities and business partners usually need information about the design, operation, and effectiveness of controls2 within the system. To support their risk assessments, user entities and business partners may request a SOC 2® report from the service organization. A SOC 2® report is the result of an examination of whether (a) the description of the service organization’s system presents the system that was designed and implemented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the criteria, if those controls operated effectively, and (c) in a type 2 examination, the controls stated in the description operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the criteria relevant to the security, availability, or processing integrity of the service organization’s system (security, availability, processing integrity) or based on the criteria relevant to the system’s ability to maintain the confidentiality or privacy of the information processed for user entities (confidentiality or privacy).3 ,4 This examination, which is referred to as a SOC 2® examination, is the subject of this guide.

      1.05 Because the informational needs of SOC 2® report users vary, there are two types of SOC 2® examinations and related reports:

      a.

      A type 1 examination is an examination of whether

      i.

      a service organization’s description presents the system that was designed and implemented as of a point in time in accordance with the description criteria and

      ii.

      controls were suitably designed as of a point in time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, if controls operated effectively.

      A report on such an examination is referred to as a type 1 report.

      b.

      A type 2 examination also addresses the description of the system and the suitability of design of controls, but it also includes an additional subject matter: whether controls operated effectively throughout the period of time to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. A type 2 examination also includes a detailed description of the service auditor’s5 tests of controls and the results of those tests. A report on such an examination is referred to as a type 2 report.

      1.06 A service auditor is engaged to perform either a type 1 or a type 2 examination. A service auditor may not be engaged to examine and express an opinion on the description of the service organization’s system and the suitability of design of certain controls stated in the description and be engaged to express an opinion on the operating effectiveness of other controls stated in the description.

      Intended Users of a SOC 2® Report

      1.07 A SOC 2® report, whether a type 1 or a type 2 report, is usually intended to provide report users with information about the service organization’s system relevant to security, availability, processing integrity, confidentiality, or privacy to enable such users to assess and address the risks that arise from their relationships with the service organization. For instance, the description of the service organization’s system is intended to provide report users with information about the system that may be useful when assessing the risks arising from interactions with the service organization’s system, particularly system controls that the service organization has designed, implemented, and operated to provide reasonable assurance that its service commitments and system requirements were achieved based on the applicable trust services criteria. For example, disclosures about the types of services provided, the environment in which the entity operates, and the components of the system used to provide such services allow report users to better understand the context in which the system controls operate.

      1.08 A SOC 2® report is intended for use by those who have sufficient knowledge and understanding of the service organization, the services it provides, and the system used to provide those services, among other matters. Without such knowledge, users are likely to misunderstand the content of the SOC 2® report, the assertions made by management, and the service auditor’s opinion, all of which are included in the report. For that reason, management and the service auditor should agree on the intended users of the report (referred to as specified parties). The expected knowledge of specified parties ordinarily includes the following:

      The nature of the service provided by the service organization

      How the service organization’s system interacts with user entities, business partners, subservice organizations,6 and other parties

      Internal control and its limitations

      Complementary user entity controls and complementary subservice organization controls7 and how those controls interact with the controls at the service organization to achieve the service organization’s service commitments and system requirements

      User entity responsibilities and how they may affect the user entities’ ability to effectively use the service organization’s services

      The applicable trust services criteria

      The risks that may threaten the achievement of the service organization’s service commitments and system requirements, and how controls address those risks

      1.09 Specified parties of a SOC 2® report may include service organization personnel, user entities of the system throughout some or all of the period, business partners subject to risks arising from interactions with the system, practitioners providing services to user entities and business partners, and regulators who have sufficient knowledge and understanding of such matters.

      1.10 Other parties may also have the requisite knowledge and understanding identified in paragraph 1.08. For example, prospective user entities or business partners, who intend to use the information contained in the SOC 2® report as part of their vendor selection process or to comply with regulatory requirements for vendor acceptance, may have gained such knowledge while performing due diligence. (If prospective users lack such knowledge and understanding, management may instead engage a service auditor to provide a SOC 3® report, as discussed in paragraph 1.13.)

      1.11 Because of the knowledge that intended users need to understand the SOC 2® report, the service auditor’s report is required to be restricted to specified parties who possess that knowledge. Restricting the use of a service auditor’s report in a SOC 2® examination is discussed beginning in paragraph 4.33.

      1.12 As previously discussed, the SOC 2® report has been designed to meet the common information needs of the broad range of intended users described in the preceding paragraphs. However, nothing precludes the service auditor from restricting the use of the service auditor’s report to a smaller group of users.

      1.13 In some situations, service organization management may wish to distribute a report on the service organization’s controls relevant to security, availability, confidentiality, processing integrity, or privacy to users who lack the knowledge and understanding described in paragraph 1.08. In that case, management may engage a service auditor to examine and express an opinion on the effectiveness of controls within a service organization’s system in a SOC 3® examination. As discussed beginning at paragraph 1.55, a SOC 3® report is ordinarily appropriate for general users. Chapter 4, Forming the Opinion and Preparing the Service Auditor’s Report, discusses the reporting elements of a SOC 3® report in further detail.

      Overview of a SOC 2® Examination

      1.14 As previously discussed, a SOC 2® examination is an examination of a service organization’s description of its system, the suitability of the design of its controls, and in a type 2 examination, the operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, or privacy. This guide provides performance and reporting guidance for both types of SOC 2® examinations.

      1.15 The service auditor performs a SOC 2® examination in accordance with AT-C section 105, Concepts Common to All Attestation Engagements,8 and AT-C section 205, Examination Engagements. Those standards establish performance and reporting requirements for the SOC 2® examination. According to those standards, an attestation examination is predicated on the concept that a party other than the practitioner (the responsible party) makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. An assertion is any declaration or set of declarations about whether the subject matter is in accordance with, or based on, the criteria.

      1.16 In a SOC 2® examination, service organization management is the responsible party. However, in certain situations there may be other responsible parties.9 As the responsible party, service organization management prepares the description of the service organization’s system that is included in the SOC 2® report. In addition, the service auditor is required by the attestation standards10 to request a written assertion from management. Management’s written assertion addresses whether (a) the description of the service organization’s system is presented in accordance with the description criteria, (b) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria, and (c) in a type 2 examination, those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.

      1.17 The service auditor designs and performs procedures to obtain sufficient appropriate evidence about whether the description presents the system that was designed and implemented in accordance with the description criteria and whether (a) the controls stated in the description were suitably designed to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria and, (b) in a type 2 examination, those controls were operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. In a type 2 examination, the service auditor also presents, in a separate section of the SOC 2® report, a description of the service auditor’s tests of controls and the results thereof.

      Contents of the SOC 2® Report

      1.18 A SOC 2® examination results in the issuance of a SOC 2® report. As shown in table 1-1, the SOC 2® report includes three key components:

      Table 1-1 Contents of a SOC 2® Report

      Definition of a System

      1.19 In the SOC 2® examination, a system is defined as the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve one or more of the organization’s specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified requirements.

      1.20 System components can be classified into the following five categories:

      Infrastructure. The collection of physical or virtual resources that supports an overall IT environment, including the physical environment and related structures, IT, and hardware (for example, facilities, servers, storage, environmental monitoring equipment, data storage devices and media, mobile devices, and internal networks and connected external telecommunications networks) that the service organization uses to provide the services

      Software. The application programs and IT system software that supports application programs (operating systems, middleware, and utilities), the types of databases used, the nature of external-facing web applications, and the nature of applications developed in-house, including details about whether the applications in use are mobile applications or desktop or laptop applications

      People. The personnel involved in the governance, management, operation, security, and use of a system (business unit personnel, developers, operators, user entity personnel, vendor personnel, and managers)

      Data. The types of data used by the system, such as transaction streams, files, databases, tables, and other output used or processed by the system

      Procedures. The automated and manual procedures related to the services provided, including, as appropriate, procedures by which service activities are initiated, authorized, performed, and delivered, and reports and other information prepared

      Boundaries of the System

      1.21 The boundaries of a system addressed by a SOC 2® examination need to be clearly understood, defined, and communicated to report users. For example, a financial reporting system is likely to be bounded by the components of the system related to financial transaction initiation, authorization, recording, processing, and reporting. The boundaries of a system related to processing integrity (system processing is complete, accurate, timely, and authorized), however, may extend to other operations (for example, risk management, internal audit, information technology, or customer call center processes).

      1.22 In a SOC 2® examination that addresses the security, availability, or processing integrity criteria, the system boundaries would cover, at a minimum, all the system components as they relate to the transaction processing or service life cycle including initiation, authorization, processing, recording, and reporting of the transactions processed for or services provided to user entities. The system boundaries would not include instances in which transaction-processing information is combined with other information for secondary purposes internal to the service organization, such as customer metrics tracking.

      1.23 In a SOC 2® examination that addresses the confidentiality or privacy criteria, the system

      Enjoying the preview?
      Page 1 of 1