SOC 2 experts of Frazier & Deeter’s own Process, Risk & Governance practice walk-through the reporting changes.
Moderator – Sabrina Serafin | Partner & National Practice Leader
Gina Gondron | Partner
Shelby Nelson | Director
Update on the AICPA’s SOC 2 Framework Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
This podcast was published on 06.11.2018.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today, we’re talking about the changes to the System & Organization Control requirements, formerly known as Service Organization Controls or SOC examinations. Joining me are Gina Gondron, a Partner at Frazier & Deeter, who is an AICPA peer reviewer, and Shelby Nelson, Director, who has recently obtained her SOC for Cybersecurity certificate, also through the AICPA. Both are members of the Process, Risk & Governance practice here at Frazier & Deeter. Shelby, could you explain what the key changes to the framework are and how they’ll impact organizations that are currently going through a SOC examination?
Shelby: Absolutely, thank you, Sabrina. So if you are a current SOC 2 issuer, regardless if you are reporting a type 1 or type 2 SOC 2 report, and your report will be issued on or before December 15th of 2018, you must be reporting in accordance with the new SOC 2 framework that Sabrina just mentioned. The biggest impact of this new framework is the security category, which is the required category for all SOC 2 reports. This category has been greatly expanded to include criteria that were previously only addressed in one or more of the additional SOC 2 categories of availability, confidentiality, processing integrity and privacy.
Because these criteria have been greatly expanded, if you are a current SOC 2 reporter, you will need to include the additional controls in your report for the security category. If you are considering a SOC 2 report, be sure to consider your examination period and take into consideration the timeline of the new SOC 2 framework deadline, December 15th of 2018, and how that will impact your SOC report. So, for current SOC 2 reporters, be sure to work with your service auditor to ensure that the appropriate framework for your examination is being applied.
Sabrina: Thank you, Shelby. It seems very complex and a lot of additional responsibilities for service organizations. Gina, can you explain to us why the AICPA is taking us in this direction?
Gina: Thank you, Sabrina. The AICPA has taken the approach of mapping the new SOC 2 framework to the COSO 2013 framework. COSO is an internationally recognized framework, which is moving the AICPA and SOC 2 away from just a U.S.-focused SOC 2 framework to a globally focused framework. Issuers are now required to take greater consideration of some organizational aspects that they may have not considered with the old framework, such as their current risk assessment process and how they are looking at risks from an organizational perspective. They also have to take into consideration their management oversight practices, as well as cybersecurity and how their organization is impacted by cyber risks. Other challenges are for organizations of varying sizes, they’ll have to adapt to determine they comply with the new framework.
Sabrina: Thank you, Gina. For those organizations who’ve not been exposed to COSO previously, how might these requirements now be addressed?
Gina: COSO is technically a framework that was implemented for public companies. In SOC 2, reporters can be companies of varying sizes: small, large, private and public. Organizations will have activities to implement and determine how they comply with the COSO framework but also take into consideration the size and complexity of their organization.
Sabrina: Could you elaborate with some examples for our listeners?
Gina: One example of the COSO 2013 and new SOC 2 framework is that organizations have a board of directors that oversees the compliance and organizational outlook of their company. There may be some companies that are smaller and private that do not have a board of directors, so organizations need to really think about how the tone of the top communication is being pushed out to their smaller companies.
Sabrina: Overall governance comes in many shapes and sizes, and there may not be a board of directors, but there are shareholders or stakeholders and executives who are tasked with that governance responsibility. It’s really the service organization’s opportunity to work with management to determine what controls are in place.
Gina: That’s right, and we at Frazier & Deeter have already been helping our existing clients by tailoring their controls and activities to fit the COSO framework. We’ve been working with them based on their size and complexity to ensure that they are in compliance and aligned with the COSO framework, no matter how small they are.
Sabrina: Shelby, you addressed some of the framework changes earlier, and the AICPA has also expanded the security control requirements. Can you give us an understanding of what they’ve done and why they’ve done it?
Shelby: Certainly, Sabrina. So, let me first start by saying that in the old framework, the five categories were called “trust principles.” Those have been renamed to “trust categories.” The trust categories contain criteria, and management adds controls to meet the criteria for each category.
Your question was specific to the security category, which is the required category for all SOC 2 reports. With the new alignment to COSO 2013, the AICPA has taken criteria from the other trust categories and pulled them up into the security category. The reason for doing this is to make sure, as Gina mentioned, that management is taking into consideration elements of risk management, cybersecurity, logical access, physical security, into the overall security trust category. In the old framework, there were 23 criteria and that has been expanded to 33.
Sabrina: So, this is a pretty significant change.
Shelby: That’s right, significant is the perfect word, and we are working with our clients to help them absorb that change and continue to be efficient SOC 2 reporters.
Sabrina: Thank you, Shelby and Gina. We appreciate the insight and guidance, and I want to offer our listeners the opportunity to visit our website to get a deeper understanding of the changes. Our team is always available to walk through the changes with any service organization. Thank you again for joining us for Frazier & Deeter’s Culture of Compliance podcast, and please join us for our next episode.