Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) - Softcover

This new guide summarizes the three new service organization controls (SOC) engagements and provides detailed guidance for performing examinations under AT section 101, Attest Engagements (AICPA, Professional Standards), to report on a service organization's controls over its system relevant to security, availability, processing integrity, confidentiality, or privacy, commonly referred to as a SOC 2 engagement.

The guide provides "how-to" guidance on planning, performing and reporting on SOC 2 engagements. It explains the relationship between a service organization and its user entities, provides examples of service organizations including those that provide cloud computing services, identifies the criteria in Trust Service Principles and Criteria as the criteria to be used to evaluate the design and operating effectiveness of controls, explains the difference between a type 1 and type 2 SOC 2 report and provides an overview of the three reporting options for CPAs reporting on controls at a service organization. It describes the matters to be considered and procedures to be performed by the service auditor in planning and performing the engagement to test (1) the fairness of the presentation of management's description of the service organization's system; (2) the suitability of the design and operating effectiveness of the controls included in the description; and (3) in a SOC 2 engagement that addresses the privacy principle, whether the service organization complied with the commitments in its statement of privacy practices. It also covers the service auditor's responsibilities when reporting on a SOC 2 engagement.

All content is written and reviewed by subject matter experts and approved by the appropriate AICPA senior technical committee(s).