FAQ's

Question: Prior to the 2017 revisions to the trust services criteria and the corresponding changes to the SOC 2 guide (January 2018), the service auditor formed the opinion on design and operating effectiveness in a SOC 2 examination by considering whether an identified control deficiency resulted in the service organization´s failure to meet one of more of applicable trust services criteria. After such revisions were made, however, the service auditor formed the opinion by considering the effect of any identified control deficiencies on the service organization´s ability to meet its service commitments and system requirements based on the trust services criteria. Why did the service auditor´s opinion on design and operating effectiveness change, and how does the change affect a service auditor´s opinion on the design and operating effectiveness of controls in a SOC 2 examination?

Reply: The reason for the change in the opinion relates primarily to the 2017 revisions to the trust services criteria. The trust services criteria were revised to conform to the 2013 COSO framework,3 which notes that "an organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them." Internal control supports the organization in achieving its objectives. Consequently, for report users to understand how the effectiveness of controls within a system are evaluated in a SOC 2 examination, they need to understand the objectives that management has established for the system. For that reason, management also discloses the principal4 objectives in the description of the system; in the description, those objectives are referred to collectively as the service organization´s service commitments and system requirements.
Management derives the service organization´s principal service commitments and system requirements from the following:

1. a. The service commitments it makes to user entities related to the system used to provide the services
2. b. The system requirements necessary to achieve those commitments
3. c. The need to comply with laws and regulations regarding the provision of the services by the system
4. d. Other objectives service organization management has for the system

Prior to the revisions to the trust services criteria and guide, the auditor´s opinion implied that the design and operating effectiveness of controls were evaluated by considering only whether the applicable trust services criteria were met. The change in the service auditor´s opinion, though subtle, clarifies that the service auditor´s opinion on design and operating effectiveness of system controls depends on whether those controls were effective to provide reasonable assurance that the overall system objectives (that is, the service commitments and system requirements) were achieved; the trust services criteria are the framework against which that evaluation is made.

Question: Are there situations in which the same control deficiency identified during the SOC 2 examinations of two different service organizations may lead the service auditor to issue a qualified opinion on operating effectiveness for one service organization but not for the other?

Reply: Yes. When a control deficiency is identified, the service auditor is responsible for evaluating the effect of the deficiency by considering the effect on the system´s ability to achieve the service commitments and system requirements that management established based on the trust services criteria. Although the same identified control deficiency may have resulted from the evaluation of a particular trust services criterion, the effect of the deficiency on the overall effectiveness of the system and related controls (that is, whether controls provide reasonable assurance of achieving the service organization´s service commitments and system requirements) may be different at each organization.

Decisions about the effect of control deficiencies identified during the examination are very complex and involve a high degree of professional judgment; consequently, the same deficiency may result in a different conclusion based on the particular facts and circumstances. Let´s look at a simple example that illustrates this response. Assume that service organizations A and B provide cloud infrastructure-as-a-service to commercial entities; both organizations provide failover processing through load balancing across geographically diverse data centers. The service auditor´s testing reveals that in both organizations the design of the failover processing results in a likelihood that processing capacity will be 50% of peak load for the first day of failover due to system resource limitations and the process for reallocating resources. Company A´s target market is SaaS entities that provide storage and retrieval of services, and its service commitment around availability is based on monthly total capacity available. Company B´s target market is companies that provide financial instrument trading platforms, and its service commitment around availability is based on peak transaction processing volume. In this example, a service auditor of the two organizations is likely to reach different conclusions when evaluating the effect of the deficiency on the achievement of the organization´s availability commitments.

Question: How does service organization management determine which trust services categories to include within the scope of the SOC 2 examination? What is the service auditor´s responsibility for determining whether those categories are appropriate for the examination?

Reply: Service organization management is responsible for selecting the trust services category or categories to be included within the scope of the examination based on its understanding of the needs of user entities and what it wants to communicate to those user entities.

Because service organizations and their customers and business partners have an increased dependence on technology, including concerns about cybersecurity risks and their impact on operational processes, security controls are a primary area of focus for system users. As a result, for most service organizations, management will include the security category within the scope of the examination. When determining other categories to include and address in the examination, service organization management usually considers the commitments it makes to its customers and business partners, as in the following examples:

• A service organization that provides IT infrastructure services to its customers and business partners may have made certain commitments to its customers and business partners about security and system availability; therefore, a SOC 2 examination that addresses the security and availability categories is likely to meet its customer and business partner informational needs.
• A service organization that processes proprietary information or personal information for its customers and business partners may make commitments about maintaining the confidentiality or privacy of the information processed. In this case, a SOC 2 examination that addresses security and the confidentiality or privacy categories may meet users´ needs.

According to paragraph 2.46 of the SOC 2 guide, when evaluating the appropriateness of the subject matter, a service auditor may consider the relevance of a trust services category or categories included within the scope of the examination to the system. If the service auditor believes the omission of a category that may be relevant to intended users´ understanding of the system increases the risk that users will misunderstand the service auditor´s opinion in the SOC 2 report, the service auditor may discuss the concern with service organization management. For example, if management discloses in the description of the system a principal service commitment around the availability of the system to its customers, such customers are likely to expect the availability category to be included within the scope of the SOC 2 examination. In this situation, if service organization management is unwilling to include the availability category within the scope of the examination or exclude the availability related commitment from the description, the service auditor may decide to decline the engagement.

Question: As discussed in the prior response, the security category is included in the majority of SOC 2 examinations. Are there circumstances in which a service auditor may accept a SOC 2 examination that excludes the security category from the scope of the examination?

Reply: Yes, management may determine that a report omitting the security category meets the needs of intended users of the report. Paragraph 1.38 of the SOC 2 guide states that, even if the SOC 2 examination is only on availability, the controls examined should include all the common criteria in addition to the specific criteria for availability. That is important because a control deficiency in a control necessary to meet the common criteria may affect the service organization´s ability to achieve its service commitments and system requirements. Therefore, the service auditor still has to evaluate the suitability of design and, in a type 2 examination, the operating effectiveness of controls necessary to meet all of the common criteria (CC1.1 through CC9.2), which encompass controls such as those over logical and physical access controls, systems operations, and change management in addition to controls necessary to meet the criteria related to the availability category.

Question: Is there a minimum set of controls or standardized template of controls that organizations can implement to help ensure that controls are suitably designed based on the applicable trust services criteria in a SOC 2 examination?

Reply: No, there is no minimum set of controls or standardized template of controls that help ensure controls are suitably designed to meet the applicable trust services criteria. A service organization should implement specific controls designed to mitigate risks identified by management, which could prevent the service organization from achieving its service commitments and system requirements. For that reason, the trust services criteria do not prescribe specific controls for any organization. Instead, the trust services criteria establish the outcomes that those controls should meet to achieve a service organization´s service commitments and system requirements.

Question: Does the SOC 2 guide establish a minimum period of time for a type 2 SOC 2 examination?

Reply: The SOC 2 guide does not prescribe a minimum period of time for a SOC 2 examination. The period of time to be addressed by a SOC 2 examination is a business decision made by service organization management after considering the informational needs of intended users.

When determining whether to accept a SOC 2 engagement, the service auditor considers the period of time to be addressed and whether sufficient appropriate evidence is likely to be available to support an opinion on operating effectiveness. Although the determination of the appropriateness of the period of time is a matter of professional judgment, paragraph 2.46 of the SOC 2 guide provides an example that may help a service auditor make that determination. In the example, service organization management wishes to engage the service auditor to perform a type 2 examination for a period of less than two months. The example indicates that, in this situation, the service auditor may conclude that it is unlikely that sufficient appropriate evidence could be obtained to support an opinion.

Question: What factors may the service auditor consider when evaluating whether the period of time is appropriate for the SOC 2 examination?

Reply: When evaluating whether the period of time is appropriate, the service auditor may consider the frequency with which designed controls are to be performed and whether those controls are likely to operate within the period of time to be addressed by the examination.
For example, some controls may operate only cyclically. An employee benefit administrator may use different applications and controls during an open enrollment period. If the period addressed by the SOC 2 examination does not include the operation of controls during the open enrollment period, the service auditor may be unable to obtain sufficient appropriate evidence of the operation of those controls to support the opinion on control effectiveness for the period of time addressed by the examination. In that situation, the service auditor may discuss the issue with management and determine whether a different period of time may be more appropriate.

Question: In certain circumstances, some controls that would ordinarily have operated during the period of time addressed by the examination do not operate because the circumstances that warrant their operation do not exist. For example, controls over new user identification and authentication may not operate if no new users were added to the system during the period of time addressed by the examination. When management informs the service auditor of this situation, what are the service auditor´s responsibilities?

Reply: In this situation, the service auditor should consider the guidance in paragraph 3.156 of the SOC 2 guide. In most cases, the service auditor would (a) perform procedures to corroborate management´s statements; (b) describe in section 4 of the SOC 2 report those procedures and the results thereof; and (c) consider whether to add additional language to the service auditor´s report as discussed in paragraph 4.86 of the SOC 2 guide.

Question: Can a service auditor issue a SOC 2 report that also addresses additional subject matters and additional criteria?

Reply: Paragraphs 1.50?1.54 of the SOC 2 guide discuss potential considerations when a service organization engages a service auditor to examine and report on subject matters in addition to the description of the service organization´s system in accordance with the description criteria and the suitability of design and operating effectiveness of controls based on the applicable trust services criteria (for example, compliance with HIPAA security requirements). In such cases, the service auditor examines and reports on whether the additional subject matter is presented in accordance with the additional suitable criteria used to evaluate it.

The determination to perform a SOC 2 examination that includes additional subject matter and additional criteria is predicated on service organization management providing the service auditor with the following:

• An appropriate description of the subject matter
• A description of the criteria identified by service organization management used to measure and present the subject matter
• If the criteria are related to controls, a description of the controls intended to meet the control-related criteria
• An assertion by service organization management regarding the additional subject matter or criteria

Question: How does a service auditor use sampling in a SOC 2 examination?

Reply: When determining whether sampling is an appropriate strategy for testing controls in a SOC 2 examination, paragraph 3.142 of the SOC 2 guide indicates that the service auditor should consider the following:

• a. The characteristics of the population of the controls to be tested, including the nature of the controls
• b. Whether the population is made up of homogenous items
• c. The frequency of the controls´ application
• d. The expected deviation rate

Question: When the service auditor has determined that sampling is the appropriate approach, what items would need to be documented in the working papers for a SOC 2 examination?

Reply: According to Paragraph 3.96 of AICPA Guide Audit Sampling, AU-C section 230, Audit Documentation, establishes requirements and provides guidance regarding the auditor´s responsibility to document audit procedures. The guide also provides examples of items that auditors may document when using sampling, some of which may help service auditors decide what to document when using sampling in a SOC 2 examination. Based on that guidance, when using sampling, a service auditor may document, among others, the following items:

• A description of the control being tested
• The definition of the population and the sampling unit, including how the service auditor considered the completeness of the population
• The definition of the deviation condition
• The method of sample size determination
• The method of sample selection
• The selected sample items
• A description of how the sampling procedure was performed
• The evaluation of the sample and the overall conclusion

Question: Does a service auditor´s opinion in a SOC 2 examination address the service organization´s compliance with relevant laws and regulations?

Reply: No. A SOC 2 examination addresses only the design and, in a type 2 examination, the operating effectiveness of controls that support the service organization´s compliance with specified laws and regulations. For example, when a service organization is subject to relevant laws and regulations, service organization management would identify system requirements to support the service organization´s ability to comply with such laws and regulations; the service auditor would test controls to achieve such system requirements during the SOC 2 examination, and the opinion would address the design and, in a type 2 examination, the effectiveness of such controls. The SOC 2 report does not provide an opinion on whether the service organization complied with relevant laws or regulations.

If service organization management wanted to obtain an opinion on compliance with relevant laws or regulations, it may engage a practitioner to examine and report on compliance with requirements of specified laws and regulations. Such an examination would be performed in accordance with AT-C section 315, Compliance Attestation.

Question: Can a service auditor obtain sufficient appropriate evidence about the operating effectiveness of controls in a SOC 2 examination through the performance of inquiry alone?

Reply: No, the service auditor may also perform walk-throughs, observation, inspection of documents, and reperformance

Question: How does a service auditor consider materiality in a SOC 2 examination?

Reply: The service auditor´s consideration of materiality in a SOC 2 examination is discussed throughout the SOC 2 guide. Among other things, such guidance makes the following two key points:

• The consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs ofthe broad range of report users as a group and on whether misstatements could reasonably be expected to influence the relevant decisions made by the broad range of report users.
• The service auditor should reconsider materiality if the service auditor becomes aware of information during the engagement that would have caused the service auditor to have initially determined a different materiality.