New FAQ nonauthoritative guidance issued by the AICPA staff addresses issues related to System and Organization Controls 2 and 3 (SOC 2 and SOC 3) engagements.
The FAQs are available on the AICPA website and address the following topics:
- Change in the opinion on the design and operating effectiveness resulting from the 2017 changes to the trust services criteria.
- Trust services categories.
- Whether there is a minimum set of common controls that meet the trust services criteria.
- Who can perform a SOC 2 examination.
- Considering the appropriate period for a SOC 2 examination.
- The effects of a service organization’s lack of an independent board of directors on the service auditor’s opinion on the suitability of design of controls.
- Whether a service auditor can issue a SOC 2 report that also addresses additional subject matters and additional criteria.
- The use of sampling in a SOC 2 examination.
- Whether a service auditor’s opinion in a SOC 2 examination addresses the service organization’s compliance with relevant laws and regulations.
- Procedures for testing operating effectiveness.
- Consideration of materiality in a SOC 2 examination.
- Whether service organization management can elect to use the carve-out method for a subservice organization in a SOC 3 report.
- How a CPA organization can use the SOC logo.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.