SOC 2 Compliance: Reporting Changes
You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.”
Why the changes?
The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.
Let’s take a closer look at these changes and how they can affect your organization.
Trust Services Principles vs. Trust Services Criteria
The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.”
Security, availability, processing integrity, confidentiality, and privacy are still the five categories under this revised name, and they are integrated with the 2013 COSO framework. Because the 2013 COSO framework uses “principles” to refer to the factors of internal control, ASEC removed “principles” from the original name to avoid any misunderstandings.
Integration with the 2013 COSO Framework
What else has changed with SOC 2 reporting, other than a name change? SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness.
It makes sense for the Trust Services Criteria to have integration with the 2013 COSO framework because they are both assessing internal controls. The Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system. The 2013 COSO framework assesses internal controls relating to control environment, risk assessment, information and communications, monitoring activities, and existing control activities. Service organizations’ controls must meet the 17 internal control principles that align with COSO’s five components of internal control, along with some new, supplemental criteria.
The 17 internal control principles include:
These internal control principles don’t map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.
Supplemental Criteria for Cybersecurity Risk
In addition to the 17 internal control principles from the 2013 COSO framework and the Trust Services Criteria, service organizations must meet new, supplemental criteria that address cybersecurity risk. These supplemental criteria include:
- Logical and Physical Access Controls – How service organizations implement logical and physical access controls to prevent unauthorized access to protect information assets.
- System Operations – How service organizations manage the operation of their systems to detect, monitor, and mitigate security incidents.
- Change Management – How service organizations determine the need for changes to infrastructure, data, software, and/or procedures, securely make changes, and prevent unauthorized changes.
- Risk Mitigation – How service organizations identify, select, and develop risk mitigation activities for risks arising from vendors, business partners, and other disruptions.
Points of Focus
Another new element to the 2017 Trust Services Criteria are points of focus.
While integrated into COSO, points of focus are new to SOC 2 reporting and the Trust Services Criteria. Points of focus are just that – details or characteristics to focus on and should be included in the design, implementation, and operation of an internal control. Points of focus will assess whether the 17 internal control principles from the 2013 COSO framework, Trust Services Criteria, and supplemental criteria are implemented and functioning. Points of focus are characteristics that auditors have always generally incorporated into their review, but with this SOC 2 reporting update, points of focus are now defined.
The supplemental criteria for risk mitigation (CC9.1) states, “The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.” What details or characteristics of this internal control should your organization focus on? The points of focus listed include:
- Considers Mitigation of Risks of Business Disruption – Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
- Considers the Use of Insurance to Mitigate Financial Impact Risks – The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.
It’s important to note that an assessment of points of focus is not required; not all points of focus are applicable to every service organization or situation. You can have effective internal controls without addressing every single point of focus.
How Do These SOC 2 Changes Affect Your Organization?
Since the 2017 Trust Services Criteria was released in April 2017, SOC 2 reports have been required to state which set of criteria was used – 2016 Trust Services Principles and Criteria or 2017 Trust Services Criteria. Beginning December 15, 2018, SOC 2 reports must use the 2017 Trust Services Criteria. If your organization pursues SOC 2 Type II attestation, you should begin determining what your next SOC 2 audit period will be and how the integration with the 2013 COSO framework, supplemental criteria, and points of focus will affect your audit.
The AICPA has published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria to help you further understand this SOC 2 reporting update. For more information on Trust Services Criteria or SOC 2 services, contact us today.