Posts

SOC 2 Academy: What’s New with SOC 2?

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.

SOC 2 Reporting Update: 2017 Trust Services Criteria

SOC 2 Reporting Changes

You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.” Why the changes? The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.

Name Change – Trust Services Criteria

The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.” Security, availability, processing integrity, confidentiality, and privacy are still the five categories under this revised name, and they are integrated with the 2013 COSO framework. Because the 2013 COSO framework uses “principles” to refer to the factors of internal control, ASEC removed “principles” from the original name to avoid any misunderstandings.

Integration with the 2013 COSO Framework

What else has changed with SOC 2 reporting, other than a name change? SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. It makes sense for the Trust Services Criteria to have integration with the 2013 COSO framework because they are both assessing internal controls. The Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system. The 2013 COSO framework assesses internal controls relating to control environment, risk assessment, information and communications, monitoring activities, and existing control activities. Service organizations’ controls must meet the 17 internal control principles that align with COSO’s five components of internal control, along with some new, supplemental criteria. The 17 internal control principles include:

SOC 2 Reporting Infographic: 2017 Trust Services Criteria

These internal control principles don’t map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

Supplemental Criteria

In addition to the 17 internal control principles from the 2013 COSO framework and the Trust Services Criteria, service organizations must meet new, supplemental criteria that address cybersecurity risk. These supplemental criteria include:

  • Logical and Physical Access Controls – How service organizations implement logical and physical access controls to prevent unauthorized access to protect information assets.
  • System Operations – How service organizations manage the operation of their systems to detect, monitor, and mitigate security incidents.
  • Change Management – How service organizations determine the need for changes to infrastructure, data, software, and/or procedures, securely make changes, and prevent unauthorized changes.
  • Risk Mitigation – How service organizations identify, select, and develop risk mitigation activities for risks arising from vendors, business partners, and other disruptions.

Points of Focus

Another new element to the 2017 Trust Services Criteria are points of focus. While integrated into COSO, points of focus are new to SOC 2 reporting and the Trust Services Criteria. Points of focus are just that – details or characteristics to focus on and should be included in the design, implementation, and operation of an internal control. Points of focus will assess whether the 17 internal control principles from the 2013 COSO framework, Trust Services Criteria, and supplemental criteria are implemented and functioning. Points of focus are characteristics that auditors have always generally incorporated into their review, but with this SOC 2 reporting update, points of focus are now defined.

The supplemental criteria for risk mitigation (CC9.1) states, “The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.” What details or characteristics of this internal control should your organization focus on? The points of focus listed include:

  • Considers Mitigation of Risks of Business Disruption – Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
  • Considers the Use of Insurance to Mitigate Financial Impact Risks – The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.

It’s important to note that an assessment of points of focus is not required; not all points of focus are applicable to every service organization or situation. You can have effective internal controls without addressing every single point of focus.

How Does This Affect Your Organization?

Since the 2017 Trust Services Criteria was released in April 2017, SOC 2 reports have been required to state which set of criteria was used – 2016 Trust Services Principles and Criteria or 2017 Trust Services Criteria. Beginning December 15, 2018, SOC 2 reports must use the 2017 Trust Services Criteria. If your organization pursues SOC 2 Type II attestation, you should begin determining what your next SOC 2 audit period will be and how the integration with the 2013 COSO framework, supplemental criteria, and points of focus will affect your audit.

The AICPA has published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria to help you further understand this SOC 2 reporting update. For more information on Trust Services Criteria or SOC 2 services, contact us today.

What’s The Difference Between SOC 1, SOC 2, and SOC 3?

When it comes to SOC (Service Organization Control) reports, there are three different report types: SOC 1, SOC 2, and SOC 3. When considering which report fits your organization’s needs, you must first understand what your clients require of you and then consider the areas of internal control over financial reporting (ICFR), the Trust Services Principles, and restricted use.

SOC 1 vs. SOC 2 vs. SOC 3

What Is a SOC 1 Report?

What Is a SOC 1 Report?

SOC 1 engagements are based on the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

 

What Is a SOC 2 Report?

What Is a SOC 1 Report?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organization. The SOC 2 report was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy, also known as the Trust Services Principles. These principles address internal controls unrelated to ICFR.

What Is a SOC 3 Report?

What Is a SOC 3 Report?

A SOC 3 report, just like a SOC 2, is based on the Trust Services Principles, but there’s a major difference between these types of reports: restricted use. A SOC 3 report can be freely distributed, whereas a SOC 1 or SOC 2 can only be read by the user organizations that rely on your services. A SOC 3 does not give a description of the service organization’s system, but can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as it relates to the Trust Services Principles.

When trying to determine whether your service organization needs a SOC 1, SOC 2, or SOC 3, keep these requirements in mind:

  • Could your service organization affect a client’s financial reporting? A SOC 1 would apply to you.
  • Does your service organization want to be evaluated on the Trust Service Principles? SOC 2 and SOC 3 reports would work.
  • Does restricted use affect your decision? SOC 1 and SOC 2 reports can only be read by the user organizations that rely on your services. A SOC 3 report can be freely distributed, used in many different applications.

Each of these reports must be issued by a licensed CPA firm, such as KirkpatrickPrice. We offer SOC 1, SOC 2, and SOC 3 engagements. To learn more about KirkpatrickPrice’s SOC services, contact us today using the form below.

Video Transcription

What is the difference between SOC 1, SOC 2, and SOC 3 reports? SOC reports are Service Organization Control reports.

SOC 1 reports work off of the SSAE 16 (now SSAE 18), which is about internal control over financial reporting. As a service organization, you may affect your user organization’s financial reporting. If so, a SOC 1 is the one for you.
Trust Services Principles have to do with criteria dealing with security, availability, processing integrity, confidentiality, and privacy. Those Principles work with SOC 2 and SOC 3 reports.

These reports are restricted in use when your issue a SOC 1 or a SOC 2 report. They are only to be read by the user organizations who rely upon your services, where a SOC 3 can be used in many different applications.

Finally, these 3 types of reports need to be issues by a licensed CPA firm that specializes in this particular industry and the industry that you work in. KirkpatrickPrice is a licensed CPA firm that can help you with all three types of reports – the SOC 1, SOC 2, and SOC 3.

What Is The SOC 2 Security Principle?

History of the SOC 2 Trust Services Principles

The Service Organization Control 2 (SOC 2) Report focuses on non-financial controls at an organization as they relate to security, availability, processing integrity, confidentiality, and privacy. These are also known as the Trust Services Principles. In 2014, the SOC 2 Trust Services Principles were updated, and one of the major changes was to the SOC 2 security principle. This change to the Common Criteria helped to eliminate the overlap between the Trust Services Principles (TSPs). Before this update, a lot of SOC 2 reports had the same controls repeated over and over in order to address the overlapping requirements between the Trust Services Principles. Since the update in 2014, they have developed what are known as the Common Criteria that apply to all SOC 2 audit reports.

What is the SOC 2 Security Principle?

The SOC 2 Security Principle is a must, and should be included in any non-privacy principle SOC 2 engagement. The Security Principle now consists of Common Criteria to all TSPs within the audit report, and includes the following seven categories:

  • Organization and Management: How is your company structured? How do you oversee the services your organization performs?
  • Communication: How do you communicate to your internal and external users about how your system works? How do you communicate policies, procedures, and expectations to authorized users and other parties?
  • Risk Assessment and Risk Management: How are you implementing controls to manage known risks? How do you select the controls that are put in place to meet the criteria? A risk assessment must be performed in order to determine what controls are necessary to address the risks that your organization is dealing with.
  • Monitoring: Monitoring is a follow up to risk management. Once you’ve put a control in place, how are you monitoring it to know that it is operating effectively and appropriately addressing the risk? Do any changes or remediations need to be made?
  • Physical and Logical Access: How do you control access to sensitive data and systems within your organization? You should be implementing physical controls, such as a door leading to an area that contains sensitive information that is controlled by a card reader or a lock and key. You should also be implementing logical controls such as implementing passwords or requirements for identifying a user before they are authorized to access a system.
  • System Operations: This criteria deals with how your organization manages day-to-day processes and procedures. This includes what you do on a daily, weekly, and monthly basis to execute your services.
  • Change Management: Lastly, when you have to make changes to your system or services, how are these changes being documented? How are you testing those changes and addressing any new risks that may be associated with these changes? How are they approved prior to making the change in your environment?

These common criteria should be reviewed by all organizations before being audited against the SOC 2 security principle and must be in place for your auditor to review. For more information on preparing for your SOC 2 audit or help with meeting these common criteria, contact us today.

Video Transcription

In 2014, the SOC 2 Trust Services Principles were updated and one of the major modifications is the Security Principle, which is really referred to now as having the common criteria for all of the Trust Services Principles within the SOC 2 Audit Report. What that means is that everything was condensed, all of the redundancies were taken out of the process, so that we could focus on this common criteria that applies to any of the Principles, so that a Service Organization would not have to repeat themselves over and over again throughout the report. The Security Principle is a “must” to have in your SOC 2 Audit Report because of that common criteria. It has to be included in a non-Privacy Principle SOC 2 audit engagement.

There are 7 categories within the Security Principle. There is Organization and Management – how is your company structured? How do you oversee the services that you perform? Communication – how do you communicate to internal and external users about how your system works? How do you communicate about policies and procedures and expectations? Risk Assessment and Management of Risk through the implementation of controls – how does your organization select the controls that you put in place to meet the criteria? It has to be done through some type of Risk Assessment in order to determine what kind of controls are necessary to address the risk that you are dealing with. The thing that follows up to that is the Monitoring of Controls – once you put a control in place, how do you monitor it to make sure that it’s effective and that you don’t need any changes or remediation if the control becomes ineffective? That’s done through Monitoring. There’s also Logical Access and Physical Access to sensitive information and systems – how do you control access like entering from a door into a sensitive area that may be controlled by some type of a card reader or lock and key?  And also Logical Access – are there passwords? Are there requirements for identifying the user before they access the system? And then also, we’ve got System Operations, which has to do with your day-to-day processing – what are your procedures? What do you do on a daily, weekly, and monthly schedule in the execution of your services? And lastly, we’ll be looking at Change Management, which is when you have to make changes to your system or your service that you’re providing, how do you document those changes? How do you test them? How do you evaluate the risk? How do you prove them in order to make sure that those changes are well-documented and approved prior to making the change in the environment?

So these are some areas to think about as you prepare to be audited against the Security Principle, because that criteria will be very important to have in place for your auditor to review.

Selecting SOC 2 Principles

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following principles: Security, Confidentiality, Availability, Processing Integrity, or Privacy. Becoming familiar with these principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.

Selecting SOC 2 Principles with Joseph Kirkpatrick

The Trust Services Principles

Trust Service Principle 1 - Security

Security

In a non-privacy SOC 2 engagement, the Security principle must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Principles are based off of. The Security principles addresses whether the system is protected (both physically and logically) against unauthorized access.

 

Trust Service Principle 3 - ConfidentialityConfidentiality

If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the Confidentiality principle should be present in your SOC 2 audit report. The Confidentiality principle addresses the agreements that you have with clients in regards to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?

Trust Service Principle 2 - AvailabilityAvailability

Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The Availability principle typically applies to companies providing colocation, data center, or hosting services to their clients.

 

Trust Service Principle 4 - Processing Integrity

Processing Integrity

If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, Processing Integrity is a principle that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?

 

Trust Service Principle 5 - Privacy

Privacy

Lastly, we have the Privacy principle. The Privacy principle really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.

 

So, you aren’t necessarily required to address all five of the Trust Services Principles in your SOC 2 audit report, however, you should select the principles that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.

 

Video Transcription

One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.

Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.

So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?

Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?

Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?

Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?

So think about those five principles and what would be included in your SOC 2 audit engagement.