What businesses need to know about SOC 2 developments


Updated guidance and the rise of SOC tools merit attention


When performed correctly, a System and Organization Controls (SOC) 2 engagement results in a report from a trusted audit firm that gives a service organization an opinion on the condition of its processes and controls that includes valuable information that can be shared with clients and prospects alike.


As the SOC 2 landscape shifts a bit, it’s important for service providers to understand some of the more important nuances in this area.


First, the AICPA, which sets the standards for SOC 2 engagements, updated its guide for practitioners performing these engagements in October 2022. While the updates are geared more toward auditors who perform SOC 2 engagements, a fuller understanding on the part of clients can prevent surprises and help the engagements proceed more smoothly.


Second, the AICPA has warned of the misuse of certain tools created by non-CPA software developers to improve service organizations’ preparation for SOC 2 examinations. If these tools are used improperly, they may result in SOC 2 examinations and related reports that do not conform with professional standards, according to an AICPA alert issued in December 2022. There’s a risk that non-CPA firms that purport to be able to perform the examination using a tool will deliver reports that don’t adequately assess the condition of processes and controls.





Updates to AICPA guide


The revisions to the AICPA guide enhance the procedures that auditors perform when conducting SOC 2 examinations, and they are intended to improve clarity and processes.


Titled SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, the updated guide reflects lessons learned and insights gained by CPAs who perform these engagements.


The revised guide:

  • Incorporates new changes to CPA attestation standards.
  • Provides guidance and clarity to service organizations regarding their objectives and how they relate to the service commitments and system requirements.
  • Presents the key differences between the “Confidentiality” and “Privacy” categories and when it’s appropriate for a service organization to report on controls included in them.
  • Provides greater detail for how an auditor should proceed when a service organization is presenting controls related to another framework outside the SOC 2 trust services criteria.
  • Provides guidance and clarity to considerations and identifications of subservice organizations versus vendors, and appropriate types of controls or disclosures related to the use of specialists by management.
  • Explains how management and the service auditor should account for controls that may have operated outside the specified period, and how to consider the relevance of controls that operated prior to the specified period.
  • Provides guidance on the service organization’s use of software applications and tools (i.e., SOC tools).
  • Added new points of focus and clarified existing points of focus to better support the criteria.

As a result of these changes, service organizations should review their controls and disclosures in their SOC 2 reports to reevaluate suitability of design and operating effectiveness of the control environment.


Focus on tools


According to the AICPA’s alert, SOC 2 tools often are marketed by non-CPA firms to companies whose management doesn’t fully understand the service organization’s risks and control activities. The tools are supposedly designed to make SOC 2 engagements more efficient and less expensive for management.


When auditors rely too heavily on the information provided by these tools, the engagement might not meet professional standards.


“There’s a risk of overreliance on these tools that’s then passed on to a service organization’s users,” said Forrest Frazier, a Grant Thornton Partner who is Practice Leader for the firm’s Special Attestation Services.


When non-CPA SOC 2 tool providers enter into business with CPA firms to provide the examination based on information generated by the tool, the resulting audit may be exposed to a self-review threat that causes the engagement to fall short of professional standards.


The AICPA also has observed that some SOC 2 tool provider websites list audit providers that do not appear to be licensed CPA firms. Most state boards of accountancy require attestation engagements — including SOC engagements — to be performed by licensed CPA firms, according to the alert.


“If somebody comes along and says they can do these engagements for a lot cheaper than licensed CPA firms but their work doesn’t meet professional standards, that’s a threat to the whole system,” Frazier said.


The key takeaway for service organization management is that a non-CPA software vendor that promises a smooth, inexpensive examination might not deliver a report that meets professional standards. 




Our featured strategic assurance and SOC insights