What you should know regarding the key changes to SOC 2 reporting (TSP Section 100)
In late 2017, the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) released guidance for the updated version of the Trust Services Criteria for SOC 2 and SOC 3 audits. This updated version takes effect for all audit period end dates past December 15, 2018. This new version is known as TSP Section 100, with the existing (or extant) version of the Trust Service Principles and Criteria known as TSP Section 100A. The changes rolled out in TSP Section 100 are significant and will impact all companies currently undergoing SOC 2 or SOC 3 audits.
Why the Change?
The AICPA lists the following the key benefits of the new criteria:
- Alignment with the 2013 COSO Internal Control Integrated Framework
- Better addresses cybersecurity risks
- Increases flexibility in application
COSO Internal Control – Integrated Framework
The 2013 COSO Internal Control—Integrated Framework is highly adopted and commonly used to assess the design and operating effectiveness of an entity’s internal control over financial reporting. Integrating this well-respected framework into the Trust Services Criteria makes sense, because like COSO, the Trust Services Criteria are used to evaluate internal controls – specifically controls covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. COSO is made up of 17 principles which are grouped into the following categories:
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
Supplemental Trust Services Criteria
COSO Principle 12 provides the following guidance: “The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.” To build on that concept, the new Trust Services Criteria describes specific control activity criteria (supplemental criteria) beyond the COSO principles that should be used to evaluate the internal controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy. The supplemental criteria include:
- Logical and physical access controls. The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
- System operations. The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
- Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
- Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.
Specific Criteria for Additional Trust Services Categories
As seen in previous versions of the Trust Services Principles and Criteria, there are common criteria for all five of the trust services categories. The Security category consists of the complete set of the common criteria, and then there are additional criteria specific to Availability, Processing Integrity, Confidentiality, and Privacy. It is also important to note the general definitions of each of the categories were not revised for the 2017 guidance.
Points of Focus
Points of focus are new to SOC reporting but have been a part of the COSO framework. Each criterion is presented with a list of several points of focus – or characteristics important to that criteria. The points of focus provide more detail as to the aspects that should be included in the control design, implementation, and operation. The 2017 Security Trust Services Criteria consist of 33 common criteria with almost 200 points of focus. Across all Trust Services Criteria, there are 61 criteria with almost 300 points of focus.
Points of Focus Considerations
The numbers listed above should not cause too much worry, because most of the points of focus are what SOC auditors are reviewing already, they just had not been spelled out in this way in the past. In addition, not all points of focus are suitable or relevant to the entity or engagement. It is important to note each point of focus is NOT required to have a corresponding control activity.
Best Way to Prepare
For those currently undergoing an annual SOC 2 audit, below are some key activities to prepare for the standard changes.
- Gain an understanding of the new trust service criteria as it applies to your current business and control matrix
- Conduct a controls rationalization or readiness assessment taking into consideration the additional controls required by the new standard
- Update policies and procedures related to the new in scope controls