Geometric pattern of cubes and connected lines,

System and organization controls (SOC) 2 guide: Reporting on controls at a service organization

Explore the updated SOC 2 Guide, a non-authoritative resource which we have adapted from the AICPA’s 2022 version to meet Canadian standards.

This guide is intended for practitioners who are engaged to report on a service organization's controls relevant to security, availability, processing integrity, confidentiality and privacy.

What’s new in the 2024 guide? 

New as of 2024, this guide has been revised to incorporate: 
  • updates included in the AICPA Guide SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy published October 2022.
  • additional guidance included in the AICPA Guide, Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing or Distribution System (SOC for supply chain guide). This includes updated risk assessment guidance.
  • updates to reflect the new Canadian standards on quality management including the Canadian Standard on Quality Management (CSQM 1), which replaces the extant standard Canadian Standard on Quality Control (CSQC 1).
  • additional updates about the following matters: 
    • making qualitative materiality assessments,  
    • considering the service organization’s use of software applications and tools, 
    • considering the operation of periodic controls that operated prior to the period covered by the engagement, 
    • considering management’s use of experts, 
    • performing and reporting in a SOC 2+ engagement (including an updated illustrative service auditor’s report), and addressing considerations when the service organization has identified a service commitment or system requirement related to meeting the requirements of a process or control framework [such as the Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) or National Institute of Standards and Technology (NIST).

What is SOC 2? 

SOC 2 is a practical resource for practitioners engaged to report on service organization’s controls relevant to security, availability, processing integrity, confidentiality, or privacy. The engagement described in this guide is based on the requirements and application material set out in the CPA Canada Handbook – Assurance and specifically Canadian Standard on Assurance Engagements (CSAE) 3000, Attestation Engagements Other than Audits or Reviews of Historical Financial Information. CSAE 3000 deals with assurance engagements other than audits of financial statements and other historical financial information performed by practitioners.

This guide is a non-authoritative resource which has been adapted by CPA Canada from the AICPA version to meet Canadian standards. SOC 2 engagements are designed to assist Canadian practitioners engaged to report on a service organization’s controls over one or more of the following:

  • the security of a service organization’s system
  • the availability of a service organization’s system
  • the processing integrity of a service organization’s system
  • the confidentiality of the information that the service organization’s system processes or maintains for user entities
  • the privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities

What is included in this guide? 

Key topics:

  • non-authoritative guidance on performing and reporting on SOC 2, SOC 2+ and SOC 3 engagements
  • understanding the difference between a type 1 and type 2 SOC 2 report
  • illustrative management statements and management representation letters
  • illustrative service auditor's reports, including reporting in accordance with both Canadian and international, or Canadian and U.S. standards
  • 2018 description criteria for a Description of a Service Organization's System in a SOC 2 report (with revised implementation guidance – 2022)
  • 2018 trust services criteria for security, availability, processing integrity, confidentiality and privacy (with revised points of focus – 2022)

The main guide also comes with four additional companion documents with illustrative examples:

  • SOC 2® Illustrative Type 2 Report (Including Management Statement, Service Auditor’s Report, and the Description of the System)
  • SOC 2® Illustrative Management Representation Letter for Type 2 Engagement
  • SOC 2® Illustrative Management Representation Letter for Type 1 Engagement
  • Illustrative Management Statement and Service Auditor’s Report for a SOC 3® Engagement