AICPA Updates SOC 2 Guidance


The AICPA has revised and updated the SOC 2 guidelines. There are no changes to the SOC 2 trust services criteria (commonly referred to as control objectives) however, there are new and revised “points of focus.” At the core, the points of focus provide guidance in the design, implementation, and operation of controls. Every point of focus must be considered and evaluated by the Service Organization and SOC Assessors. Points of focus may identify areas of improvement that strengthen a service organization’s controls. Some points of focus may not be relevant for a particular organization and therefore are not required to attain a successful SOC 2 examination.  The AICPA also revised the Description Criteria guidance with expanded disclosures. 

The revised points of focus are intended to: 

  • Improve overall guidance on controls that support the implementation of the trust services criteria 
  • Address changing technologies, threats and vulnerabilities, and risks 
  • Address changing legal and regulatory requirements and expectations regarding privacy 
  • Address data management, including data storage, backup, and retention, particularly when related to confidentiality 
  • Differentiating points of focus related to privacy as a “data controller” versus a “data processor” 

What Areas are Impacted? 

The revised points of focus impact the following criteria:

  • Control Environment 
  • Information and Communication (previously Communication and Information) 
  • Risk Assessment 
  • Logical and Physical Access 
  • System Operations 
  • Change Management 
  • Risk Mitigation 

What’s the Impact and Timing?

Service Organizations must consider updated guidance in the design, implementation, and operation of controls. The revised points of focus are not strict “requirements,” and the AICPA has not provided any implementation dates. The updated guidance is effective immediately. Organizations should consider revisions and incorporate changes as soon as possible and preferably before their next SOC assessment report. 

Can a Service Organization Ignore These Revisions?

No. All SOC 2 organizations and SOC 2 Assessors must consider the revised guidance in the design, implementation, and operation of controls.