Changes to SOC 2 Reporting

Changes to SOC 2 Reporting – An Introduction to the New 2017 Trust Services Criteria (TSP Section 100)

In late 2017, the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) released guidance for the updated version of the Trust Services Criteria for SOC 2 and SOC 3 audits. This updated version takes effect for all audit reports dated December 15, 2018, and beyond. This new version is known as TSP Section 100, with the existing version of the Trust Service Principles and Criteria known as TSP Section 100A. The changes rolled out in TSP Section 100 are significant and will impact all companies currently undergoing SOC 2 or SOC 3 audits.

For more detailed information regarding SOC 2 audits, please download our free overviews through the below links:

Download Your Free SOC Audit Cliff Notes

Download Your Free SOC Scoping Document 

TSCWhile you may have noticed changes within SOC 2 reporting, you might ask why these changes are necessary. When the AICPA’s Assurance Services Executive Committee (ASEC) issued the reporting update, the action resulted in what now includes a new set of 2017 Trust Services Criteria. This aligns in conjunction with the 2013 COSO framework and does a more refined job of addressing cybersecurity risks. The change includes the naming transition from “Trust Services Principles and Criteria” to simply “Trust Services Criteria.” As the 2013 COSO framework is already using “principles” in defining the elements of internal control, ASEC removed “principles” from the original name when the decision was made to only use the term Criteria within the name.

 

 

Overview of the 2013 COSO Framework Integration into SOC 2 and SOC 3

As with previous versions, TSP Section 100 keeps the same 5 Principles as before:

  • Security
  • Availability
  • Confidentiality
  • Processing Integrity
  • Privacy

The 2013 COSO framework consists of 17 principles and evaluates internal controls relating to the following categories: control environment, risk assessment, information and communications, monitoring activities, and existing control activities. A summary of the 17 internal control principles is as follows:

 

COSO's 17 Principles of Internal Control

In order to comply with the new 2017 Trust Services Criteria, service organizations will have to rearrange their internal control matrix, as the new principles are not directly mapped to the corresponding controls within the 2016 Trust Services and Principles.

Supplemental Criteria

The 2013 COSO framework requires the above 17 internal control principles, as well as 4 additional supplemental criteria, be met by service organizations in order to address cybersecurity threats. The criteria consist of the following:

  • Logical and Physical Access Controls – The logical and physical access controls put in place by service organizations to avoid unauthorized access.
  • System Operations – The System Operations Management in order to be proactive to potential security incidents.
  • Change Management – The controls set in place to avoid unauthorized changes to infrastructure and data within a service organization.
  • Risk Mitigation – The criteria for addressing risks related to third party service providers, vendors, business relations and other potential external security threats.

Added Points of Focus to All Criteria

Points of focus are designed to evaluate the effectiveness of the 17 internal control principles outlined in the 2013 COSO framework, Trust Services Criteria, and supplemental criteria. Although points of focus have now been specifically defined, auditors have always utilized the elements within their reviews. The 2017 Trust Services Criteria includes 33 common criteria and approximately 200 points of focus. Across a total of five categories, there is a total of 61 criteria and over 300 points of focus.

How Does This Affect Your Organization?

Since this is a major update to SOC 2 and SOC 3 audits, companies who currently undergo the audit should consider performing a Readiness Assessment to map their existing controls to TSP Section 100, identify new controls which need to be audited, and walk through the design effectiveness of each new control.

The AICPA published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria. For more information on the changes to SOC 2 reporting and Trust Services Criteria, contact CyberGuard Compliance today at ContactUs@CGCompliance.com.

Resources

CyberGuard has assembled top tier professionals to help our clients through the IT Audit and Cybersecurity Audit process. For further information regarding any of our service audits, or to request a fee proposal from CyberGuard, please visit our Contact Us page or call 1-866-480-9485 today. We look forward to hearing from you!