Posts

SOC 2 Academy: Trust Services Criteria

SOC 2 Terminology Updates

In the AICPA’s recent updates to SOC 2 reporting, many will notice that there are quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria will now be strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.

An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy will now be referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.

Common Criteria and Additional Criteria

The common criteria will still refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There will also be additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.

SOC 2 Academy: Points of Focus

What is a Point of Focus?

In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements, because not all points of focus will be applicable to all organizations. These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.

Specific Points of Focus

For example, CC1.1, under the common criteria and COSO’s control environment component, states, “The entity demonstrates a commitment to integrity and ethical values.” The specific points of focus for this include the following:

  • Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
  • Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
  • Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
  • Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
  • Considers Contractors and Vendor Employees in Demonstrating Its Commitment – Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.

Organizations pursuing SOC 2 compliance would then choose to follow the guidance of the points of focus that apply to them. This ensures that their controls demonstrate the organization’s commitment to integrity and ethical values.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

One of the enhancements to the SOC 2 Trust Services Criteria in 2017 has to do with the inclusion of points of focus. The criteria now include points of focus, given by the AICPA, that really give you important characteristics about the criteria. These are not requirements; these are not things that you have to do, but they’re very helpful to reference. You can go into our Online Audit Manager and check out the resources in order to find these points of focus. One of the things that’s been very helpful about it is, many times in the SOC 2 criteria, you would read it and you wouldn’t really understand, at first glance, what it was talking about. The points of focus are there to help you understand the context of what the criteria is seeking to accomplish and how you might implement that within your own organization.

SOC 2 Academy: What’s New with SOC 2?

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.