SOC Report 2022 Revised Points of Focus
In late 2022, the AICPA updated its guidance on performing System and Organization Controls (SOC) attestations with revised points of focus that offer enhanced context for meeting the criteria in your report. Organizations and their auditors should be aware of the updates and go through an exercise to actively incorporate these revised points of focus into your control’s rationalization process and report for this cycle.
It is important to recognize that the trust services categories and criteria from 2017 have not changed. In addition, the revised points of focus themselves are not criteria but rather a range of considerations that could apply to a company’s controls in meeting its client commitments and the criteria of the trust service categories. Points of focus clarify the areas of risk when developing controls.
The AICPA updated the points to address:
- an environment of ever-changing technologies, threats, and vulnerabilities along with other matters that may create additional risks to organizations;
- changing legal and regulatory requirements and related cultural expectations regarding privacy;
- data management (for example, data storage, backup, and retention), particularly when related to confidentiality; and,
- which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor.
The revised points of focus include those specified in the COSO framework, as well as additional points of focus within the security trust service category (otherwise known as the common criteria) when using other specified trust services criteria (e.g., availability, confidentiality, or privacy),and additional points of focus when using the trust services criteria at the system level.
It is also important to note that not all objectives may be necessary to support the achievement of the entity’s objectives in a particular engagement. For example, financial reporting objectives may not be relevant to a SOC examination because the subject matter being evaluated by the criteria is not related to financial reporting. Likewise, not all points of focus need to be addressed by controls to satisfy a criterion. The impact of the revised points of focus can be significant depending on the trust service categories your report addresses but, in any case, this revision is an opportunity to take a fresh look at the scope of your report and contemplate the points of focus in relation to your environment, controls, and criteria for the trust service categories you selected.
As with any significant changes to a standard, the AICPA has issued an updated guide “2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022), which details the changes. This guide is available through the AICPA website.
As service auditors, AAFCPAs helps clients navigate these updates and advises on designing more complete, effective controls that meet criteria for a SOC Type 1 or Type 2 report.
If you have questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062 or firstname.lastname@example.org, Andrew Mathieson, CISA, CDPSE, CCSFP HITRUST, CISRCP, CCSK at 774.512.9089 or email@example.com; or your AAFCPAs Partner.