Find Your Specialist


Contact Us

Go Back

As risk evolves, so does SOC 2 reporting

Technological advances over the past 25 years have driven unimaginable conveniences, but our rapidly evolving technology has also increased the complexity of managing risk. As new risks emerge, the American Institute of Certified Public Accountants (AICPA) continues to adapt the  standards by which service organizations must address the changing risk landscape.

The latest iteration of the AICPA’s Trust Services Criteria will be required for System (formerly Service) and Organization Controls (SOC) 2 reports issued after December 15, 2018. The updated SOC 2 Trust Service Categories have been mapped to the 17 principles in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, which is the most widely adopted internal control framework.

What’s changing?

Terminology In order to reduce confusion, the SOC 2 Trust Services Principles have been renamed Trust Services Categories.
New Criteria Within each category, there are a number of Trust Service Criteria.  These criteria now include the 17 principles of the COSO framework.  The AICPA’s illustrative risks and controls have been replaced with “points of focus,” which offer guidance for implementing controls to address the Trust Service Criteria. The Security Trust Services have been vastly expanded to 33 required common criteria.


What’s the impact?

Companies that currently undergo SOC 2 examinations need to prepare to address the additional AICPA criteria. Given the December 15th deadline for implementing updated guidance, some organizations may choose early adoption in advance of the  deadline.  For organizations whose reports will be  issued after December 15, timely review of the new guidance will ensure these organizations have addressed the new criteria early enough to allow time to identify any gaps with proper remediation prior to the SOC examination.

The expanded criteria will likely require some companies, particularly small to mid-size organizations, not previously attempting to comply with the COSO framework to implement or redesign several internal controls..

Companies that have never undergone a SOC 2 examination should discuss with a qualified service auditor the criteria for each of the Trust Service Categories (Security, Availability, Confidentiality, Processing Integrity and Privacy) and timing to determine if the expanded criteria should be addressed in 2018.  If your report will be issued after December 15th you must use the updated framework regardless of when the examination procedures began, so be clear about timing of each step of the process to ensure your report complies with AICPA guidelines. Users of your report are likely to want to see the new criteria addressed, so consider adopting the new framework for reports issued earlier in the year.


What’s the advantage?

The changes to the AICPA’s SOC 2 Trust Service Criteria will provide clients and investors greater confidence in the controls in place for today’s business environment and risks. The enhanced attention to security will lend credibility to clients who have become increasingly focused on data protection as headline news stories continue to expose corporate weaknesses in managing data.

If you have questions about SOC 2 reporting, please reach out to the professionals at Frazier & Deeter. Our Process, Risk & Governance team has deep expertise assisting companies with preparation for and successfully completing  SOC 2 examinations.

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.


Functionality cookies are cookies that support features of the Site, such as remembering your preferences.


These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

Tracking or Targeting

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.