Article
What's changed with SOC 2?
What the AICPA’s latest updates to SOC 2 guidance means for service organizations
The AICPA is the governing body for SOC 2®. Periodically, the AICPA updates its standards and guidance. The SOC 2 guide, updated in October of 2022, provides interpretive guidance to the auditors who perform SOC 2 examinations. In the recent update, no changes were made to the Trust Services Criteria (TSC), however, updates were made to the interpretations and guidance on how SOC 2 examinations are performed.
Potential impacts to service organizations who have a SOC 2 examination performed
What's new with SOC 2?
Updated guidance description |
Potential impact |
Relevant guide paragraph for more information |
| Additional examples around inherent risks that auditors may consider. | Auditors may ask service organizations more questions about these inherent risk areas and place more emphasis on them when planning their examinations than they have in the past. | 2.129 |
| Enhanced guidance on the completeness and accuracy of information provided or produced by the entity (IPE). | Auditors may enhance the level of evidence they require from the service organization, especially around areas such as the completeness and accuracy of populations which are used as a basis for sampling. | 3.137 to 3.145 |
| Increased focus on vendor risk management performed by the service organization. | Service organizations may need to enhance their vendor risk management procedures. | 3.162 to 3.174 |
| Example SOC 2+ report | The form of the opinion and assertion may change with the example now included in the SOC 2 guide. | Appendix E |
For additional guidance on how the changes to SOC 2 could impact your service organization, connect with a Baker Tilly SOC specialist.
© 2024 Baker Tilly US, LLP
