FAQs on SOC 2 and SOC 3 engagements issued by AICPA staff

By Ken Tysiac

New FAQ nonauthoritative guidance issued by the AICPA staff addresses issues related to System and Organization Controls 2 and 3 (SOC 2 and SOC 3) engagements.

The FAQs are available on the AICPA website and address the following topics:

  • Change in the opinion on the design and operating effectiveness resulting from the 2017 changes to the trust services criteria.
  • Trust services categories.
  • Whether there is a minimum set of common controls that meet the trust services criteria.
  • Who can perform a SOC 2 examination.
  • Considering the appropriate period for a SOC 2 examination.
  • The effects of a service organization’s lack of an independent board of directors on the service auditor’s opinion on the suitability of design of controls.
  • Whether a service auditor can issue a SOC 2 report that also addresses additional subject matters and additional criteria.
  • The use of sampling in a SOC 2 examination.
  • Whether a service auditor’s opinion in a SOC 2 examination addresses the service organization’s compliance with relevant laws and regulations.
  • Procedures for testing operating effectiveness.
  • Consideration of materiality in a SOC 2 examination.
  • Whether service organization management can elect to use the carve-out method for a subservice organization in a SOC 3 report.
  • How a CPA organization can use the SOC logo.

Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.

SPONSORED REPORT

Implementing a global statutory reporting maturity model

Assess your organization's capabilities and progress toward an ideal state of global statutory reporting. Sponsored by Workiva.

100th ANNIVERSARY

Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.