FAQs on SOC 2 and SOC 3 engagements issued by AICPA staff

By Ken Tysiac

New FAQ nonauthoritative guidance issued by the AICPA staff addresses issues related to System and Organization Controls 2 and 3 (SOC 2 and SOC 3) engagements.

The FAQs are available on the AICPA website and address the following topics:

  • Change in the opinion on the design and operating effectiveness resulting from the 2017 changes to the trust services criteria.
  • Trust services categories.
  • Whether there is a minimum set of common controls that meet the trust services criteria.
  • Who can perform a SOC 2 examination.
  • Considering the appropriate period for a SOC 2 examination.
  • The effects of a service organization’s lack of an independent board of directors on the service auditor’s opinion on the suitability of design of controls.
  • Whether a service auditor can issue a SOC 2 report that also addresses additional subject matters and additional criteria.
  • The use of sampling in a SOC 2 examination.
  • Whether a service auditor’s opinion in a SOC 2 examination addresses the service organization’s compliance with relevant laws and regulations.
  • Procedures for testing operating effectiveness.
  • Consideration of materiality in a SOC 2 examination.
  • Whether service organization management can elect to use the carve-out method for a subservice organization in a SOC 3 report.
  • How a CPA organization can use the SOC logo.

Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.

Where to find September’s flipbook issue

The Journal of Accountancy is now completely digital. 

 

 

 

SPONSORED REPORT

2022 Payroll Update

Employees working remotely have created numerous issues for employers. The 2022 Payroll Update report provides insight on remote workforce tax issues, pandemic payroll issues and employer credits, and worker classification issues in the gig economy.