One of the 5 Trust Services Criteria of SOC 2 audits. Including the Privacy Principle in your SOC 2 audit report ensures that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon. The Privacy Principle also demonstrates that you’re handling client data in accordance with criteria issued by the AICPA, including management, notice, choice and consent, collection, use retention and disposal, access, disclosure to third parties, security, quality, and monitoring and enforcement.
Formerly the Trust Service Principles, the Trust Service Criteria are the 5 core categories for all SOC 2 audits. They are: security, availability, confidentiality, processing integrity, and privacy.
In 2016, the AICPA updated the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) to No. 18 (SSAE 18). This change was made to simplify and converge attestation standards related to SOC 1 audits. SSAE 18 has also expanded to cover more types of attestation reports (including SOC 2), whereas SSAE 16 was limited to only SOC 1 reports.
The SSAE 16 (Statement on Standards for Attestation Engagements no. 16), born in 2011, provides auditors a way to report on things other than financial reports. Instead, SSAE 16 reports on the design and operating effectiveness of controls at a service organization as they relate to their clients’ ICFR. Prior to the SSAE 16, CPAs used what was known as SAS 70.
A SOC for Cybersecurity examination is how a CPA reports on an organization’s cybersecurity risk management program. Its intent is to communicate information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users an entity-wide perspective and confidence in an organization’s cybersecurity risk management program.
A SOC for Cybersecurity examination reports on three elements: Management’s Description, Management’s Assertion, and Practitioner’s Opinion.