In late 2017, the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) released guidance for the updated version of the Trust Services Criteria for SOC 2 and SOC 3 audits. This updated version takes effect for all audit reports dated December 15, 2018, and beyond. This new version is known as TSP Section 100, with the existing version of the Trust Service Principles and Criteria known as TSP Section 100A. The changes rolled out in TSP Section 100 are significant and will impact all companies currently undergoing SOC 2 or SOC 3 audits.
While you may have noticed changes within SOC 2 reporting, you might ask why these changes are necessary. When the AICPA’s Assurance Services Executive Committee (ASEC) issued the reporting update, the action resulted in what now includes a new set of 2017 Trust Services Criteria. This aligns in conjunction with the 2013 COSO framework and does a more refined job of addressing cybersecurity risks. The change includes the naming transition from “Trust Services Principles and Criteria” to simply “Trust Services Criteria.” As the 2013 COSO framework is already using “principles” in defining the elements of internal control, ASEC removed “principles” from the original name when the decision was made to only use the term Criteria within the name.
Overview of the 2013 COSO Framework Integration into SOC 2 and SOC 3
As with previous versions, TSP Section 100 keeps the same 5 Principles as before:
The 2013 COSO framework consists of 17 principles and evaluates internal controls relating to the following categories: control environment, risk assessment, information and communications, monitoring activities, and existing control activities. A summary of the 17 internal control principles is as follows:
In order to comply with the new 2017 Trust Services Criteria, service organizations will have to rearrange their internal control matrix, as the new principles are not directly mapped to the corresponding controls within the 2016 Trust Services and Principles.
The 2013 COSO framework requires the above 17 internal control principles, as well as 4 additional supplemental criteria, be met by service organizations in order to address cybersecurity threats. The criteria consist of the following:
Added Points of Focus to All Criteria
Points of focus are designed to evaluate the effectiveness of the 17 internal control principles outlined in the 2013 COSO framework, Trust Services Criteria, and supplemental criteria. Although points of focus have now been specifically defined, auditors have always utilized the elements within their reviews. The 2017 Trust Services Criteria includes 33 common criteria and approximately 200 points of focus. Across a total of five categories, there is a total of 61 criteria and over 300 points of focus.
Since this is a major update to SOC 2 and SOC 3 audits, companies who currently undergo the audit should consider performing a Readiness Assessment to map their existing controls to TSP Section 100, identify new controls which need to be audited, and walk through the design effectiveness of each new control.
The AICPA published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria. For more information on the changes to SOC 2 reporting and Trust Services Criteria, contact CyberGuard Compliance today at ContactUs@CGCompliance.com.