New Trust Services Criteria for SOC 2 and SOC 3 Examinations
The AICPA Assurance Services Executive Committee (ASEC) recently released a new set of Trust Services Criteria (TSP Section 100) for SOC 2, SOC 3, and SOC for Cybersecurity engagements. The organizational structure and level of detail documented in the new criteria are different than the previous Trust Service Principles and Criteria; however, the concepts and objectives are very similar.
Background
The AICPA has noted in its release of the new 2017 Trust Services Criteria (TSC) that the primary reasons for changing the criteria were to better align the TSC to the 2013 COSO Internal Control Framework. The previous versions of the Trust Services Principles and Criteria did not fully align to a specific framework, and the AICPA felt that the new 2017 TSC should align to the COSO principles. In addition to the aligning with the COSO framework the AICPA also wanted the TSC to better address cybersecurity risks given the evolving nature of cybersecurity. The last reason cited by the AICPA for the change in 2017 TSC was to provide flexibility in application to the service organizations receiving SOC 2 and SOC 3 examinations. The 2017 TSC provides criteria that are substantially broader in scope and the language of the criteria allow for the service organizations to evaluate risk and define controls specific to their organizations providing them with additional flexibility in outlining their controls.
It should also be noted that the AICPA has officially changed the name of from Trust Services Principles and Criteria, and it has shortened the name to just TSC. Interestingly, the AICPA did not change the acronym for the codification of the guidance, even though they removed ‘Principles’ from the name. The acronym is still TSP, and the guidance can be found at TSP Section 100.
2017 Trust Services Criteria
COSO Framework
The 2013 COSO Internal Control—Integrated Framework is widely recognized and is often used to assess the design and effectiveness of an entity’s internal control over financial reporting. The AICPA identified the COSO framework as a best practice for assessing the design and operating effectiveness of controls and wanted to integrate it into the TSC. The 2013 COSO framework is made up of 17 principles and they are grouped into the following areas:
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
The updated TSC include the 17 COSO principles related to these five areas. The new criteria still use the common criteria format for the security criteria along with additional criteria for availability, processing integrity, confidentiality, and privacy; however, the language of each common criteria under the 2016 trust services principles and criteria has been replaced with the appropriate COSO principle corresponding to that criteria. In effect, the format of the TSC has not changed; however, the specific language of each common criteria has been replaced with the COSO principle.
In addition, the AICPA has also issued addition supplemental TSC to specifically address controls over information technology and cybersecurity. COSO Principle 12 provides the following guidance: The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. The new TSC provides details on specific control activity criteria (supplemental criteria) beyond the COSO principles that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. The supplemental criteria are specifically related to logical and physical access controls, computer and system operations controls, change management controls, and risk mitigation controls. The TSP specifically outlines the details of the supplemental criteria for each area below:
- Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
- System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
- Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
- Risk mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.
In addition to the supplemental criteria, the new criteria also include points of focus for each criteria. The points of focus are new to SOC reporting; however, these are not new to the COSO framework and have been around for quite some time. Each TSC is presented with an associated list of points of focus – or best practices and risks important to that criteria. The points of focus have been provided so that service organizations have a better understanding of the goals and objectives related to the design and operating effectiveness of controls for that criteria. The 2017 TSC consist of 33 common criteria with almost 200 points of focus. That number may sound overwhelming; however, the guidance at TSP 100.04 notes that an assessment of whether each point of focus is addressed is not required by the service organization.
Timeline
The 2016 trust services principles and criteria were effective for periods ending on or after December 15, 2016; however, the new set of TSC were released just months later in April of 2017. Currently, either set of criteria can be used for SOC 2 reporting, but it should be specified in the report which set of criteria (2016 or 2017) were used. Beginning December 15, 2018, all reports should be issued using the 2017 TSC. In 2018, service organizations should be reviewing the new criteria along with the points of focus to evaluate the design, implementation, and operation of controls at the organization.
Webinar
In case you missed it, McKonly & Asbury’s May webinar is entitled “Navigating the New Trust Services Criteria” and will take place on Thursday, May 31, 2018.
The webinar will be hosted by McKonly & Asbury Partner, Michael Hoffner and Senior Manager, Josh Bantz, and will review the new Trust Services Criteria that will be effective for SOC 2 and SOC 3 reports issued after December 15, 2018. Be sure to register today and learn more by clicking here.
For more information concerning the transition to the 2017 Trust Services Criteria as well as SOC 1, SOC 2, or SOC 3 examinations services provided by McKonly & Asbury, please contact Mike Hoffner, Partner, at mhoffner@macpas.com or Josh Bantz, Senior Manager, at jbantz@macpas.com.