The AICPA has published new nonauthoritative guidance that addresses issues related to System and Organization Controls 2 and 3 (SOC 2 and SOC 3) engagements.
The guidance addresses trust services categories, who can perform a SOC 2 examination, procedures for testing operating effectiveness and more. The guidance also addresses the effects of a service organization’s lack of an independent board of directors on the service auditor’s opinion on the suitability of design of controls. See the FAQs.