Unpacking the AICPA's updated SOC 2 guide: What you need to know

The AICPA released an updated guide to reporting on an examination of system and organization controls. The guide, SOC 2® reporting on an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy (SOC 2 Guide) was published on Oct. 15, 2022.

The SOC 2 Guide is used by practitioners providing SOC 2 services and examinations and can serve as a reference for organizations that issue SOC 2 reports. While not authoritative guidance, the SOC 2 Guide provides valuable clarifications and examples of implementation of the standards.

Description criteria and trust services criteria

In addition to the new SOC 2 Guide, the AICPA also released the Description Criteria and Trust Services Criteria with revised points of focus. The Description Criteria and Trust services criteria, which have been in place since 2018 and 2017, respectively, haven’t changed, but rather the points of focus were revised to provide further clarity and guidance of the Trust Services Criteria.

Key changes in the SOC 2 guide

While there have been many small revisions to the SOC 2 Guide, there are several larger changes that could affect how an organization designs and operates its controls.

The new guidance also interprets the requirements described in the criteria, describes the system in scope for SOC 2, and reports on incidents or changes that occurred.

Key updates include:

• The service organization’s objectives, service commitments, and systems requirements. Provides additional clarity on the organization’s objectives and how they relate to the service commitments and system requirements.
• Selecting the trust services category or categories to be addressed by the examination.