contact us  |  print  |  français  |  log in
my downloads
pay an invoice
my account
Accounting & assurance
Business & finance
CPA Canada Handbook
Information technology
Practice management
Risk & governance
Tax
Other
in all formats

CPA Canada Guide to Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2)

(aussi disponible en français)

CPA Canada Guide to Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2) - This product is available in the following media types: Download (eBook)CPA Canada Guide to Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (SOC 2) is a practical resource for practitioners engaged to audit and report on the privacy and security of a service organization’s systems.

Take your guides with you on your eReader, laptop, smartphone or tablet. SOC Guides are available in convenient and searchable eBook format!


ItemItem no.PriceQuantity
Download (eBook)Download (eBook) 
71550004$75.00
add to cart   
Prices may change without notice. User license policies
 

GUIDANCE FOR CANADIAN PRACTITIONERS ENGAGED TO AUDIT AND REPORT ON CONTROLS AT A SERVICE ORGANIZATION

SOC 2 is a practical resource for practitioners engaged to audit and report on the privacy and security of a service organization’s systems. This guide is based on the requirements and guidance established in the CPA Canada Handbook – Assurance, Section 5025, Standards for Assurance Engagements Other Than Audits of Financial Statements and Other Historical Financial Information. These standards establish a framework for assurance engagements, other than audits of financial statements and other historical financial information. .

Prepared by the Information and Management Technology Advisory Committee of CPA Canada’s Research, Guidance and Support Group, SOC 2 is designed to assist Canadian practitioners engaged to examine and report on a service organization’s controls over one or more of the following:

  • The security of a service organization’s system
  • The availability of a service organization’s system
  • The processing integrity of a service organization’s system
  • The confidentiality of the information that the service organization’s system processes or maintains for user entities
  • The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities

 

NOTICE OF FUTURE CHANGES AFFECTING THIS PUBLICATION

Update:Trust Services Principles and Criteria Now Called Trust Services Criteria

SOC 2 and 3 engagements are based substantially on the Trust Services Principles and Criteria (now called Trust Services Criteria for use when providing attestation or consulting services to evaluate controls relevant to the security, availability, and processing integrity of a system, and the confidentiality and privacy of the information processed by the system.

In April 2017, the AICPA released the 2017 Trust Services Criteria which were codified in TSP Section 100. The extant trust services criteria (2016 trust services criteria) are codified in TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2016), and will be available through December 15, 2018. Until that date, service auditors may use either the 2016 trust services criteria or the 2017 trust services criteria as the evaluation criteria in a SOC 2 examination. After that date, the 2016 trust services criteria will be considered superseded. During the transition period, management and the service auditor should identify in the SOC 2 report whether the 2017 or 2016 trust services criteria were used. The trust services criteria are available as a free resource on aicpa.org and can be found at:

https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

 

Description Criteria

The AICPA recently issued new description criteria standards for SOC 2 reports. The 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report, (2018 description criteria) have been designed to be used in conjunction with the 2017 trust services criteria set forth in TSP section 100. The 2018 description criteria are codified as DC section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report, in AICPA Description Criteria. When preparing a description of the service organization’s system as of December 15, 2018, or prior to that date (type 1 examination), or a description for periods ending as of December 15, 2018, or prior to that date (type 2 examination), either the 2018 description criteria or the 2015 description criteria may be used. During the transition period, management should identify in the description whether the 2018 description criteria or the 2015 description criteria were used.

When preparing a description of the service organization’s system as of or after December 16, 2018, (type 1 examination) or a description of the system for periods ending as of or after that date (type 2 examination), the 2018 description criteria should be used.

DC section 200 is available as a free resource on aicpa.org and can be found at:

https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/dc-200.pdf

 

Standards Update

Practitioners should be aware that Section 5025, Standards for Assurance Engagements Other Than Audits of Financial Statements and Other Historical Financial Information has been replaced by Canadian Standards on Assurance Engagement (CSAE) 3000, Attestation Engagements Other Than Audits or Reviews of Historical Financial Information and CSAE 3001, Direct Engagements for reports dated on or after June 30, 2017.

Practitioners are cautioned that if they continue to use the current SOC 2 guide for attestation engagements where the assurance report is dated on or after June 30, 2017, that this guide was prepared based on Section 5025. Practitioners are responsible for performing their engagements in accordance with CSAE 3000 and/or 3001, as applicable on or after June 30, 2017.

SOC Guide Update

The AICPA plans to release revised and improved Guidance Material covering SOC 2 and 3 engagements. It is CPA Canada’s plan to review the AICPA material and issue supplemental Canadian guidance. The guidance in this publication should continue to be used as a reference source pending release of revised guidance.

RELATED PUBLICATIONS

SOC 1: The CPA Canada Guide, Service Organizations – Applying CSAE 3416, Reporting on Controls at a Service Organization

NOTE: SOC for Cybersecurity: The CPA Canada Guide, Reporting on an Entity’s Cybersecurity Risk Management Program and Controls is in progress and will be available soon.

 


ISBN: 978-1-55385-762-4
Publication Date: March 2014

View Terms and conditions | Privacy policy | Shipping and store policies | AODA

Help Desk: Mon-Fri, 9am-5pm ET | 1-866-256-6842 | Contact us

© 2001-2018, CPA Canada | EYEP. All rights reserved.