FAQs on SOC 2 and SOC 3 engagements issued by AICPA staff

By Ken Tysiac

New FAQ nonauthoritative guidance issued by the AICPA staff addresses issues related to System and Organization Controls 2 and 3 (SOC 2 and SOC 3) engagements.

The FAQs are available on the AICPA website and address the following topics:

  • Change in the opinion on the design and operating effectiveness resulting from the 2017 changes to the trust services criteria.
  • Trust services categories.
  • Whether there is a minimum set of common controls that meet the trust services criteria.
  • Who can perform a SOC 2 examination.
  • Considering the appropriate period for a SOC 2 examination.
  • The effects of a service organization’s lack of an independent board of directors on the service auditor’s opinion on the suitability of design of controls.
  • Whether a service auditor can issue a SOC 2 report that also addresses additional subject matters and additional criteria.
  • The use of sampling in a SOC 2 examination.
  • Whether a service auditor’s opinion in a SOC 2 examination addresses the service organization’s compliance with relevant laws and regulations.
  • Procedures for testing operating effectiveness.
  • Consideration of materiality in a SOC 2 examination.
  • Whether service organization management can elect to use the carve-out method for a subservice organization in a SOC 3 report.
  • How a CPA organization can use the SOC logo.

Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.

SPONSORED WHITE PAPER

Preparing the statement of cash flows

This instructive white paper outlines common pitfalls in the preparation of the statement of cash flows, resources to minimize these risks, and four critical skills your staff will need as you approach necessary changes to the process.

RESOURCES

Keeping you informed and prepared amid the COVID-19 crisis

We’re gathering the latest news stories along with relevant columns, tips, podcasts, and videos on this page, along with curated items from our archives to help with uncertainty and disruption.