SOC Report 2022 Revised Points of Focus

In late 2022, the AICPA updated its guidance on performing System and Organization Controls (SOC) attestations with revised points of focus that offer enhanced context for meeting the criteria in your report. Organizations and their auditors should be aware of the updates and go through an exercise to actively incorporate these revised points of focus into your control’s rationalization process and report for this cycle.

It is important to recognize that the trust services categories and criteria from 2017 have not changed. In addition, the revised points of focus themselves are not criteria but rather a range of considerations that could apply to a company’s controls in meeting its client commitments and the criteria of the trust service categories. Points of focus clarify the areas of risk when developing controls.

The AICPA updated the points to address:

  • an environment of ever-changing technologies, threats, and vulnerabilities along with other matters that may create additional risks to organizations;
  • changing legal and regulatory requirements and related cultural expectations regarding privacy;
  • data management (for example, data storage, backup, and retention), particularly when related to confidentiality; and,
  • which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor.

The revised points of focus include those specified in the COSO framework, as well as additional points of focus within the security trust service category (otherwise known as the common criteria) when using other specified trust services criteria (e.g., availability, confidentiality, or privacy),and additional points of focus when using the trust services criteria at the system level.

It is also important to note that not all objectives may be necessary to support the achievement of the entity’s objectives in a particular engagement. For example, financial reporting objectives may not be relevant to a SOC examination because the subject matter being evaluated by the criteria is not related to financial reporting. Likewise, not all points of focus need to be addressed by controls to satisfy a criterion. The impact of the revised points of focus can be significant depending on the trust service categories your report addresses but, in any case, this revision is an opportunity to take a fresh look at the scope of your report and contemplate the points of focus in relation to your environment, controls, and criteria for the trust service categories you selected.

As with any significant changes to a standard, the AICPA has issued an updated guide “2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022), which details the changes. This guide is available through the AICPA website.

As service auditors, AAFCPAs helps clients navigate these updates and advises on designing more complete, effective controls that meet criteria for a SOC Type 1 or Type 2 report.

If you have questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062 or jjumes@nullaafcpa.com, Andrew Mathieson, CISA, CDPSE, CCSFP HITRUST, CISRCP, CCSK at 774.512.9089 or amathieson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Andrew is a seasoned IT risk & cybersecurity advisor and a leader in AAFCPAs’ Business Process & IT Consulting Practice responsible for providing information risk management, cybersecurity, and special IT attestation solutions. He helps clients—and those charged with governance and risk management—navigate their digital ecosystem with confidence. This confidence enables further innovation through technology! Andrew has extensive experience providing direction, supervision, performance, and review of audit engagements, including SOC 1, SOC 2, SOC for Cyber security, and SOC 2+HIPAA. He also provides HITRUST Certification examinations and assessments, GDPR assessments, FFIEC assessments, GLBA assessments, HIPAA assessments, Internal Risk Assessments, and SOX 404 audits. He renders these services across a variety of industries, including Healthcare, Managed IT Services, SaaS/PaaS/IaaS companies, Data Centers, Cloud Services, Collection agencies, Printing and Mailing companies, Financial Corporations, and diverse nonprofit organizations.