The American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) School – Advanced Guidance for Successful Engagements was recently held in Denver, CO. The audience was diverse and included representatives from public accounting firms and other organizations vested in service organization control reporting (third-party service providers, users of the reports, consultants, etc.) from throughout the United States and Canada.
The discussions over a two day period focused on the purpose and means of conducting effective SOC engagements (i.e., SOC 1, 2 and 3), and specifically targeted engagement planning, execution and reporting. In addition, other areas covered included best practices for completing examinations and in-depth review of changes in the standards covering SOC for Service Organizations. The training sessions reinforced the key concepts and requirements for conducting and completing successful examinations.
Statement on Standards for Attestation Engagements 18 became effective for reports dated on or after May 1, 2017. This standard supersedes SSAE 16. Service Organizations and their auditors will need to address the following changes in SSAE 18:
- Assessment of risks of material misstatements
- Evaluation of the reliability of information produced by the entity
- Vendor management and monitoring of subservice organizations
- Complementary subservice organization controls
SOC 2 Reports
Effective December 15, 2018, SOC 2 Reports will be based on the new 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy which are codified in TSP section 100. Early adoption is permitted. Organizations that are going through their first SOC 2 engagement should consider early adopting the 2017 Trust Services Criteria. Organizations that currently have a SOC 2 engagement will need to map their controls to the 2017 Trust Services Criteria. The 2017 Trust Services Criteria are being aligned with COSO’s internal control framework. Other changes includes:
- Eight new common criteria to align with the COSO principles
- Disclosure of significant incidents during the 12-month period preceding the “as of date” or the “period end date”
- The AICPA SOC 2 Guide is expected to be released late in 2017 or early 2018
SOC 2+ Reports
A trend that is growing in popularity in the SOC 2 is the SOC 2+ report. A SOC 2+ report is the review of the trust service principles in combination with additional subject matter related to the service organization’s services using additional suitable criteria related to that subject matter. The ability to include additional criteria within the scope of a SOC 2 engagement both promotes greater efficiencies in the conduct of multiple examinations at a single organization and reduces the number of reports published for use by clients and other users of the reported results. Below are a few frameworks which can be mapped to SOC 2 and used in a SOC 2+ report. The list below is not considered to be all-inclusive.
- NIST 800-53 R4
- Cloud Security Alliance (CSA STAR)
- COBIT 5
- ISO 27001
Barnes Dennig’s participation at the annual AICPA SOC School and other SOC professional forums is a demonstration of our firm’s commitment to remaining on the leading edge of SOC practices and ensuring that our team applies techniques that adhere to AICPA standards. This commitment ensures that our clients’ examinations are conducted effectively and in accordance with current authoritative guidance aligned with leading practices.
Contact us with questions regarding SOC engagements and visit our SOC reporting services page to learn about the services that the Barnes Dennig offers.