Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

A Breakdown of the Latest SOC 2 Guidance Revisions (October 2022)

SOC Examinations

While in school, did you ever have a professor that would sneakily test on obscure materials? You could read the textbooks, but that material you assumed would be the bulk of an exam wasn’t mentioned—instead, your test questions were focused on the footnotes or some other material you weren’t aware of or clearly alerted to review beforehand. 

If so, we agree that must’ve been insanely frustrating to not have proper guidance before a major evaluation, leaving you with a bad grade and no explanation as to why or how you can improve your work. 

The good news is that you’re out of school, and for those undergoing SOC 2 examinations, there’s an abundance of guidance provided by the AICPA. This information is meant to assist service organizations and their auditors in preparing for, executing, and reporting on a SOC 2 examination—the latest version was released in October 2022. 

As SOC auditors for over two decades now, we’re incredibly seasoned in performing SOC 2 examinations, but that doesn’t mean we don’t appreciate the additional help, just like you would when trying to reach your compliance goals. In this article, we’re going to break down the latest AICPA guidance so that you can further simplify your SOC 2 process. 

6 Key Changes to the SOC 2 Guide

For those completely unfamiliar, the SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2 Guide) is used by practitioners providing SOC 2 services and examinations and can serve as a reference for organizations that issue SOC 2 reports.

Among the many small revisions to the latest SOC 2 guide meant to assist practitioners in planning, executing, and reporting for a SOC 2, these key changes could have a more significant impact on how you and your auditor prepare for or perform a SOC 2 examination:

Key Change

Guidance is Provided On:

Information Provided by the Entity (IPE)

  • The various types of evidence that you can provide to your auditor for the testing of your defined controls
  • The different methods your auditor can use to inspect the evidence for further assurance that the information is complete and accurate
  • How your auditor should present the evidence inspection methods in either the system description or on a control-by-control basis

(As such, your auditor may make additional inquiries into how a piece of evidence was generated or perform additional procedures to confirm that the evidence provided was not modified after it was generated.)

SOC 2+

  • How the inclusion of other frameworks would affect your SOC 2 if they were to be assessed simultaneously
  • An example report is now included in the updated guide offering additional guidance on the presentation of a SOC 2+ report

Review Controls

  • Matters that your auditor needs to consider when designing its tests of controls to evaluate the design and effectiveness of your review controls, including the precision of the control as well as details over the performance of the review

You should expect additional inquiries from your auditor regarding:

  • The individuals performing the review
  • What the control owner considered when performing the review
  • The threshold triggering further investigation
  • The resolution of matters identified by the reviewer

Controls That Operated Prior To The Period or
Did Not Operate During The Period

How your auditor should:

  • Assess that situation
  • Present the information within the report
  • Explain the potential impact it may have on their opinion if controls relevant to the achievement of the service commitment or system requirement did not operate during the period

Objectives,
Service Commitments, and System Requirements

  • The descriptions of each of these elements
  • How they are related

IT Services

  • Considerations your auditor should make when providing services outside of the scope of the SOC 2 examination and how these may impair independence

8 Key Changes to SOC 2 Description Criteria and Trust Services Criteria

In addition to the updated SOC 2 Guide, the AICPA also released revised guidance on the Description Criteria and Trust Services Criteria. Though these haven’t materially changed, their points of focus have been updated with information that:

  • Organizations should consider when designing controls; and
  • Auditors should consider in their evaluation of the controls over SOC 2 criteria.

 Some of these key updates were to the following areas:

 

Details

Privacy

  • Should you choose to include privacy in the scope of your SOC 2 examination, a clear disclosure must be included within the report as to your role as a data processor, data controller, or both.
  • Moreover, a differentiation has been added for whether each point of focus applies to a data processor, data controller, or both.
  • Points of focus that should be considered when privacy is in scope were also added to the Common Criteria (Security).

Incident Disclosures

  • When disclosures are made, the impact on confidential information during a security incident should be included in the disclosure.
  • Also, you and your auditor must consider if an incident occurs impacting an out-of-scope system, it may have been due to ineffective shared controls within your organization that could impact the systems within the defined scope.

Risk Disclosures and Assessments

Regarding the risk assessment process and specific risks that threaten the achievement of your service commitments and system requirements, you must also disclose additional details, including:

  • Magnitude of the effect of potential risks
  • Potential effects of unidentified or changes in threats and vulnerabilities on the assessed risk
  • Appropriateness of residual risk

Data Management

Particularly when related to confidentiality (e.g., data storage, backup, retention), new guidance suggests that you should clearly identify personal information within a system and restrict access based on this identification and classification of sensitive information.

Information
and Asset Management

Pertaining to the identification, documentation, and maintenance records of system components including infrastructure, software, and other information assets, the added points of focus also expounded on:

  • The creation, classification, and handling of information
  • Mapped data flows for the in-scope systems
  • Confirmation that you’re using information and reports that are complete, accurate, current, and valid in the operation of controls

New Architecture

Added guidance on how to identify and assess the security of new system architecture before its implementation into your system environment.

Change Management

If Availability is In-Scope: Consider testing system resiliency within your change management procedures.

If Privacy is In-Scope: Consider the privacy requirements in the design of your system and the collection and processing of personal information should be limited to only what is necessary.

Assessing Vendor and Business Partner Risks

Due to increased risk exposure relating to vendors and third parties, new guidance provides details on identifying vulnerabilities related to your third parties, including that of third-party access to the in-scope systems and how you should reassess relationships with vendors and third parties periodically.

Moving Forward with Your Next SOC 2 Examination

While this breakdown doesn’t include all the AICPA updates to the SOC 2 Guide, Description Criteria, and Trust Services Criteria, these highlights presented can point you in the right direction to more thoroughly prepare for your next SOC 2 examination process. This isn’t like a sneaky college professor sourcing his exam questions from obscure materials—this information is intended to and will help you more easily achieve compliance through an understanding of the impacts these changes may have on your service commitments and system requirements. 

For further details on all the revisions made to the SOC 2 guidance, AICPA members can procure the full and updated SOC 2 guide, Description Criteria, and Trust Services Criteria documents. The AICPA has also provided red-lined versions of the Trust Services Criteria and Description Criteria that each highlight the revisions. 

Schellman also features additional resources that can assist in deepening your understanding of SOC 2, including our own guide to shaping an examination to your needs: 

About Vinnie Minosky

Vinnie Minosky is a Manager with Schellman based in Columbus, OH, focusing primarily on SOC examinations. Vinnie has been with the firm for three years and prior to joining Schellman, he worked as a Senior IT Assurance Auditor at a large public accounting firm in Columbus, performing financial audit support and SOC audits across various industries. He has over six years of audit experience and maintains multiple certifications including: CISSP, CISA, and ISO 27001 Lead Auditor.