In late 2017, the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) released guidance for the updated version of the Trust Services Criteria for SOC 2 and SOC 3 audits. The new SOC 2 standards take effect for all audit period end dates past December 15, 2018. This new version is known as TSP Section 100, with the existing (or extant) version of the Trust Service Principles and Criteria known as TSP Section 100A. The changes rolled out in TSP Section 100 are significant and will impact all companies currently undergoing SOC 2 or SOC 3 audits.
Why the Change?
The AICPA lists the following the key benefits of the new criteria:
COSO Internal Control – Integrated Framework
The 2013 COSO Internal Control—Integrated Framework is highly adopted and commonly used to assess the design and operating effectiveness of an entity’s internal control over financial reporting. Integrating this well-respected framework into the Trust Services Criteria makes sense, because like COSO, the Trust Services Criteria are used to evaluate internal controls – specifically controls covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. COSO is made up of 17 principles which are grouped into the following categories:
Supplemental Trust Services Criteria
COSO Principle 12 provides the following guidance: “The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.” To build on that concept, the new Trust Services Criteria describes specific control activity criteria (supplemental criteria) beyond the COSO principles that should be used to evaluate the internal controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy. The supplemental criteria include:
Specific Criteria for Additional Trust Services Categories
As seen in previous versions of the Trust Services Principles and Criteria, there are common criteria for all five of the trust services categories. The Security category consists of the complete set of the common criteria, and then there are additional criteria specific to Availability, Processing Integrity, Confidentiality, and Privacy. It is also important to note the general definitions of each of the categories were not revised for the 2017 guidance.
Points of Focus
Points of focus are new to SOC 2 standards but have been a part of the COSO framework. Each criterion is presented with a list of several points of focus – or characteristics important to that criteria. The points of focus provide more detail as to the aspects that should be included in the control design, implementation, and operation. The 2017 Security Trust Services Criteria consist of 33 common criteria with almost 200 points of focus. Across all Trust Services Criteria, there are 61 criteria with almost 300 points of focus.
Points of Focus Considerations
The numbers listed above should not cause too much worry, because most of the points of focus are what SOC auditors are reviewing already, they just had not been spelled out in this way in the past. In addition, not all points of focus are suitable or relevant to the entity or engagement. It is important to note each point of focus is NOT required to have a corresponding control activity.
Best Way to Prepare
For those currently undergoing an annual SOC 2 audit, below are some key activities to prepare for the new SOC 2 standards.