Established by the AICPA Assurance Services Executive Committee (ASEC), this resource presents control criteria for use in attestation or consulting engagements to evaluate and report on controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems

• across an entire entity.
• at a subsidiary, division, or operating unit level.
• within a function relevant to the entity’s operational, reporting, or compliance objectives.
• for a type of information used by the entity.

This guidance is useful in reporting on SOC for Cybersecurity engagements, SOC 2^® engagements, and SOC 3^® engagements. The 2017 edition revises the trust services criteria to align with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 Internal Control—Integrated Framework, to better address cybersecurity risks and increase flexibility in application across an entire entity, including at a subsidiary, division, or operating unit level within a function relevant to an entity’s operational, reporting, or compliance objectives.

Key Benefits

• Alignment with the 2013 COSO Internal Control—Integrated Framework
• Better addresses cybersecurity risks
• Increases flexibility in application

Who Will Benefit?

• Practitioners performing attestation or consulting services
• Practitioners performing engagements using trust services criteria including SOC for Cybersecurity, SOC 2 examinations, and SOC 3 examinations