Technological advances over the past 25 years have driven unimaginable conveniences, but our rapidly evolving technology has also increased the complexity of managing risk. As new risks emerge, the American Institute of Certified Public Accountants (AICPA) continues to adapt the standards by which service organizations must address the changing risk landscape.
The latest iteration of the AICPA’s Trust Services Criteria will be required for System (formerly Service) and Organization Controls (SOC) 2 reports issued after December 15, 2018. The updated SOC 2 Trust Service Categories have been mapped to the 17 principles in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, which is the most widely adopted internal control framework.
What’s changing?
| Terminology | In order to reduce confusion, the SOC 2 Trust Services Principles have been renamed Trust Services Categories. |
| New Criteria | Within each category, there are a number of Trust Service Criteria. These criteria now include the 17 principles of the COSO framework. The AICPA’s illustrative risks and controls have been replaced with “points of focus,” which offer guidance for implementing controls to address the Trust Service Criteria. The Security Trust Services have been vastly expanded to 33 required common criteria. |
What’s the impact?
Companies that currently undergo SOC 2 examinations need to prepare to address the additional AICPA criteria. Given the December 15th deadline for implementing updated guidance, some organizations may choose early adoption in advance of the deadline. For organizations whose reports will be issued after December 15, timely review of the new guidance will ensure these organizations have addressed the new criteria early enough to allow time to identify any gaps with proper remediation prior to the SOC examination.
The expanded criteria will likely require some companies, particularly small to mid-size organizations, not previously attempting to comply with the COSO framework to implement or redesign several internal controls..
Companies that have never undergone a SOC 2 examination should discuss with a qualified service auditor the criteria for each of the Trust Service Categories (Security, Availability, Confidentiality, Processing Integrity and Privacy) and timing to determine if the expanded criteria should be addressed in 2018. If your report will be issued after December 15th you must use the updated framework regardless of when the examination procedures began, so be clear about timing of each step of the process to ensure your report complies with AICPA guidelines. Users of your report are likely to want to see the new criteria addressed, so consider adopting the new framework for reports issued earlier in the year.
What’s the advantage?
The changes to the AICPA’s SOC 2 Trust Service Criteria will provide clients and investors greater confidence in the controls in place for today’s business environment and risks. The enhanced attention to security will lend credibility to clients who have become increasingly focused on data protection as headline news stories continue to expose corporate weaknesses in managing data.
If you have questions about SOC 2 reporting, please reach out to the professionals at Frazier & Deeter. Our Process, Risk & Governance team has deep expertise assisting companies with preparation for and successfully completing SOC 2 examinations.