SOC Report 2022 Revised Points of Focus

Posted on July 21, 2023

In late 2022, the AICPA updated its guidance on performing System and Organization Controls (SOC) attestations with revised points of focus that offer enhanced context for meeting the criteria in your report. Organizations and their auditors should be aware of the updates and go through an exercise to actively incorporate these revised points of focus into your control’s rationalization process and report for this cycle.

It is important to recognize that the trust services categories and criteria from 2017 have not changed. In addition, the revised points of focus themselves are not criteria but rather a range of considerations that could apply to a company’s controls in meeting its client commitments and the criteria of the trust service categories. Points of focus clarify the areas of risk when developing controls.

The AICPA updated the points to address:

an environment of ever-changing technologies, threats, and vulnerabilities along with other matters that may create additional risks to organizations;
changing legal and regulatory requirements and related cultural expectations regarding privacy;
data management (for example, data storage, backup, and retention), particularly when related to confidentiality; and,
which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor.

The revised points of focus include those specified in the COSO framework, as well as additional points of focus within the security trust service category (otherwise known as the common criteria) when using other specified trust services criteria (e.g., availability, confidentiality, or privacy),and additional points of focus when using the trust services criteria at the system level.

It is also important to note that not all objectives may be necessary to support the achievement of the entity’s objectives in a particular engagement. For example, financial reporting objectives may not be relevant to a SOC examination because the subject matter being evaluated by the criteria is not related to financial reporting. Likewise, not all points of focus need to be addressed by controls to satisfy a criterion. The impact of the revised points of focus can be significant depending on the trust service categories your report addresses but, in any case, this revision is an opportunity to take a fresh look at the scope of your report and contemplate the points of focus in relation to your environment, controls, and criteria for the trust service categories you selected.

As with any significant changes to a standard, the AICPA has issued an updated guide “2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022), which details the changes. This guide is available through the AICPA website.

As service auditors, AAFCPAs helps clients navigate these updates and advises on designing more complete, effective controls that meet criteria for a SOC Type 1 or Type 2 report.

If you have questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062 or jjumes@nullaafcpa.com, Andrew Mathieson, CISA, CDPSE, CCSFP HITRUST, CISRCP, CCSK at 774.512.9089 or amathieson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Andrew Mathieson, CISA, CDPSE, CCSFP, HITRUST, CISRCP, CCSK

Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, …

Related Insights

A Startup’s First Steps to SOC Readiness

Early-stage companies have a lot to contend with, including funding, staffing, infrastructure, product development, and marketing, which can create a chaotic environment. Those that collect personal identifiable information or health information as part of their business model also must add earning their SOC (System and Organization Control) certification to the list. The SOC Report has […]

SOC Report: Why are our Sales & Marketing Teams Insisting we have one?

Prospects may ask for a SOC report as a way to assess the controls and processes in place at an organization before doing business with them. Many organizations, particularly in regulated industries or those that handle sensitive information, are required to demonstrate compliance with relevant regulations and industry standards. A SOC report can be an […]

SOC 2 Meets Death Master File Certification Requirements

The System and Organization Controls (SOC) framework may be mapped to achieve requirements of the National Technical Information Service’s (NTIS) Limited Access Death Master File (LADMF) certification. When choosing SOC 2 to achieve your LADMF certification, businesses may also benefit from the marketing value of their SOC 2 attestation, which demonstrates your commitment to access […]