A service organization may engage the service auditor to examine and report on subject matters in addition to the description of the service organization’s system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable trust services criteria. In that case, the service auditor would also examine and report on whether the additional subject matter is presented in accordance with the additional suitable criteria used to evaluate it. The following table provides examples of additional subject matters and additional criteria that may be used to evaluate them.
A SOC 2® engagement that includes additional subject matters and additional criteria such as those described in the preceding table is predicated on service organization management providing the service auditor with the following:
- An appropriate description of the subject matter
- A description of the criteria identified by management used to measure and present the subject matter
- If the criteria are related to controls, a description of the controls intended to meet the control-related criteria
- An assertion by management regarding the additional subject matter or criteria
The service auditor should perform procedures to obtain sufficient appropriate evidence related to the additional subject matter or criteria in accordance with AT-C section 205 and the relevant guidance in the SOC 2 guide. In accordance with the reporting requirements in AT-C section 205, the service auditor should identify in the service auditor’s report the additional subject matter being reported on or the additional criteria being used to evaluate the subject matter and report on the additional subject matter.
In some situations, the service auditor may be requested to also include in the report a description of the service auditor’s tests of controls or procedures performed to evaluate the existing or additional subject matter against the existing or additional criteria and the detailed results of those tests. In that case, paragraph .A85 of AT-C section 205 provides the following factors for the service auditor to consider before agreeing to include such information in the report:
- Whether such a description is likely to overshadow the service auditor’s overall opinion, which may cause report users to misunderstand the opinion
- Whether the parties making the request have an appropriate business need or reasonable basis for requesting the information (for example, the specified parties are required to maintain and monitor controls that either encompass or are dependent on controls that are the subject of an examination and, therefore, need information about the tests of controls to enable them to have a basis for concluding that they have met the requirements applicable to them)
- Whether the parties understand the nature and subject matter of the engagement and have experience in using the information in such reports
- Whether the service auditor’s procedures relate directly to the subject matter of the engagement
If the service auditor believes that the addition of a description of tests of controls or procedures performed and the results thereof in a separate section of the report is likely to increase the potential for the report to be misunderstood by the requesting parties, the service auditor may decide to add an alert paragraph that restricts the use of the report to the parties making the request. Chapter 4 of the SOC 2 guide discusses the requirements for an alert paragraph in further detail.
Cloud Security Alliance (CSA)
CSA in collaboration with
the AICPA, developed a third party assessment program of cloud providers officially known as CSA Security Trust & Assurance Registry (STAR) Attestation. STAR Attestation provides a framework for CPAs performing independent assessments of cloud providers using SOC 2® engagements with the CSA’s Cloud Controls Matrix. The AICPA has developed an illustrative SOC 2®Report with the Criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) to assist CPAs in reporting on the suitability of the design and operating effectiveness of a service organization’s controls relevant to security and availability based on the criteria for security and availability in TSP Section 100A,
Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids) and, the suitability of the design and operating effectiveness of its controls in meeting the criteria in the Cloud Security Alliance Cloud Controls Matrix.