Are New AICPA SOC 2 Criteria Updates on the Horizon?

Key Takeaways

• 2022 Updates Focused on Clarification, Not Criteria Changes: The 2022 revisions updated the Trust Services Criteria points of focus and implementation guidance to clarify expectations and address evolving risks, but the underlying SOC 2 criteria remained unchanged.
• Technology and Threat Landscapes Are Rapidly Evolving: Increased use of AI, cloud computing, remote workforces, and more advanced cyber threats such as AI-driven attacks are reshaping service organization environments.
• Industry Pressures May Drive Future Updates: The rise of vendors offering quick SOC 2 compliance solutions has raised concerns about report quality, objectivity, and credibility, potentially prompting tighter guidance or updates.
• SOC 2 Modernization May Be Approaching: With nearly a decade since the core criteria were introduced, growing technological and regulatory changes suggest that more substantial updates to SOC 2 could be on the horizon.

---

Over the course of the last decade, the American Institute of Certified Public Accountants’ (AICPA) SOC 2 framework has remained a cornerstone in third-party attestation relating to security, availability, processing integrity, confidentiality, and privacy. In 2022, the AICPA released updates to the points of focus and implementation guidance; however, these changes did not change any of the underlying criteria. This article will briefly cover the 2022 changes and outline possible reasons why there may be changes on the horizon.

Updates Made in 2022

As seen in every industry, technology, cybersecurity threats, and regulatory expectations have changed significantly over the last decade. Revisions were made in October 2022 to the 2017 Trust Services Criteria (TSC) points of focus and 2018 Description Criteria (DC‑200) implementation guidance, though the underlying criteria has remained consistent since its creation. These revisions primarily assisted in clarifying auditor and service organization expectations and guidance to address new risks, technology, and data management practices. Although these were essential updates, the criteria remained unchanged, possibly signaling a new refresh in the future to keep up with the changing landscape.

Evolving Environments and Change Indicators

Since the updates in 2022, several changes have occurred in service organization environments. Artificial intelligence (AI) and the use of cloud resources have increased drastically, including the use of remote workforces. Threat actors have also evolved with the use of ransomware and other attacks utilizing AI and automation. With all these technological changes and advancements, a revision of the criteria could be in the pipeline.

In recent months, several indicators suggest that changes could be coming. As the governing body of the SOC 2 criteria, the AICPA is tasked with developing the framework, defining the criteria, and providing guidance and updates. Vendors promising quick and easy SOC 2 compliance have entered the conversation, leading to concerns around the effect on the industry. Although these solutions can provide some efficiencies, they also introduce risks that could affect the credibility, objectivity, and quality of the SOC 2 reports.

While the AICPA has not substantially updated the core SOC 2 criteria in nearly ten years, the world around those original criteria has transformed. The 2022 updates offered clarity – but not modernization. Given the sweeping changes in IT, cybersecurity, and regulatory environments, the stage is set for future revisions to the SOC 2 Description Criteria and Trust Services Criteria. Organizations should stay attentive, as the next evolution of SOC 2 may be closer than it appears.

If your entity is interested in obtaining any additional information on SOC reports, or if there are any other questions related to SOC, please contact us. For more information on these services and more, be sure to visit our firm’s SOC & Cybersecurity industry page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA, CCSFP, CHQP, CCA regarding our services.

About the Author

Related Services