SOC 2 Resources & Links

This page lists SOC 2 and SOC 3 links to official AICPA and Cloud Security Alliance pages, and downloadable copies of what those organisations share freely. We have brought together a lot of official documents and commentary to make what has been confusing as clear as possible.

The AICPA and CICA (soon to be Chartered Professional Accountants Canada) are jointly responsible for the Service Organization Controls framework.

Start Here: We recommend starting with the AICPA overview and reports links, the videos listed below, the CSA Position Paper on SOC Reports, and then reviewing the document Information for Management of a Service Organization. We will be adding our own quick reference documents in coming weeks.

AICPA/CICA Links

AICPA Overview of SOC Standards used and Report Contents

AICPA Guide to Choosing What SOC Report Suits You as Client

AICPA Central SOC Report Resource Page

SOC 2 Reporting News
New documents listed in the bottom half of the page.

AICPA Service Organization Control Publications Page (available for purchase)

Service Organization Control Reports: Considerations for User and Service Auditors 2013 (available for purchase)
WARNING: May be out-of-date in 2014. Directed at auditors but helpful for management responsible for SOC readiness.

AICPA Restrictions on use of SOC Logos

AICPA Privacy Resource Page
Privacy is one of the SOC 2 Principles and its criteria are based on the AICPA’s Generally Accepted Privacy Principles.

ASEC Trust Services and Information Integrity Task Force
Group that maintains the Trust Services Principles and Criteria used in SOC2, and finalises the new version that is due in 2014.

AICPA Privacy and Assurance Attestation information
Explains what Standard, Assurance guidance and Criteria apply (designed for US CPAs)

Videos

Video Introduction to SOC Framework (AICPATV 5mins Jan 2011)
From AICPA President introducing how and why of SOC reporting and the replacement of SAS 70.

Video Introduction to SOC Reports (AICPATV 5 mins May 2011)
Another introduction to how and why of SOC reporting and the replacement of SAS 70, and the intro of SSAE 16 and SOC 1.

Cloud Security Alliance Resources

CSA Position Paper on Service Organization Control Reports (Feb 2013) 3MB
Simple 8 page introduction to the framework and the reports.

CSA Cloud Control Matrix v3.0
Excellent for applying control principles to cloud computing; has an outstanding comparison of detailed control frameworks, including CSA CCM v3.0, SOC 2, COBIT, ISO 27000 and US-Government-specific frameworks.

Security Guidance for Critical Areas in Cloud Computing v3.0 5MB
14 Domains of security addressing Architecture, Governance and Operations in Cloud Computing.

CSA – 9 Implementation Guides for Security as a Service
Series of 9 Implementation Guides for key areas in Cloud Security. Crosses over with SOC 2 Security Principle and criteria.

Core AICPA/CICA Documents downloadable

Information for Management of a Service Organization (2011)
An introductory summary of the SOC 2 guide for management considering SOC readiness or audit. Good starting point that sets out the steps and requirements.
(downloaded Jan 2014 from AICPA)

AICPA Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report
An introduction for firms considering being audited. Simplified version of the Information for Management.
(downloaded Jan 2014 from AICPA)

Trust Service Principles Section 100 (2009)
The current ‘bible’ for what service organisations have to meet to pass SOC 2 or SOC 3 audits.
WARNING: An exposure draft is currently on issue which simplifies and improves the framework. See next item.
(downloaded Jan 2014 from CICA)

Exposure Draft Trust Principles & Criteria (July 2013)
A simplified framework that is substantially the same as the 2009 version but structured to be easier to apply and integrated with identifying risk. Final acceptance was planned for Dec 2013 and a new guide planned for June 2014, but no news at Jan 2014. Comment period closed Sept 2013.
(downloaded Jan 2014 from AICPA)

AICPA Technical Practice Aid on SOC 1 and SSAE 16 Reports – TIS_Section_9520 (Nov 2011)
Explains formal attestation guidelines for auditors to report on financial internal controls in a service organisation. Relevant for SOC 1 and SSAE 16.
(downloaded Jan 2014 from AICPA)

AICPA Technical Practice Aid on SOC Reports – TIS_Section_9530 (Nov 2011)
Explains formal attestation guidelines for auditors to report on non-financial internal controls in a service organisation. Relevant for SOC 2 and SOC 3.
(downloaded Jan 2014 from AICPA)

Other AICPA Documents downloadable

AICPA Flyer on SOC Reports
(downloaded Jan 2014 from AICPA)

AICPA Infographic on Evolution of SOC from SAS70
(downloaded Jan 2014 from AICPA)

AICPA Case Study of SOC at Confirmation.com
(downloaded Jan 2014 from AICPA)

AICPA ASEC Information Integrity Whitepaper (Jan 2013)
Defines what information integrity is and how to achieve it in general terms.
(downloaded Jan 2014 from AICPA)

Other Links

AICPA Newsletter 2012: Explaining SOC
History from SAS 70 to SOC; report types; report uses.

Article: Replacing SAS 70 from Journal of Accountancy, Aug 2010.

Article: Expanding Service Organization Controls Reporting from  Journal of Accountancy, July 2011.
Good introduction.