Posts

SOC 2 Academy: Trust Services Criteria

SOC 2 Terminology Updates

In the AICPA’s recent updates to SOC 2 reporting, many will notice that there are quite a few SOC 2 terminology changes. Most notably, the Trust Services Principles and Criteria will now be strictly referred to as the Trust Services Criteria. However, it’s important to note that the AICPA did not update the acronym to reflect this change. Instead, the acronym for Trust Services Criteria will remain TSP.

An additional SOC 2 terminology update is that security, availability, confidentiality, processing integrity, and privacy will now be referred to as categories as opposed to criterion or principles. So, for example, when a service organization begins their SOC 2 audit journey, one of the first steps they will take will be to determine which of the categories they’ll need to include in their audit.

Common Criteria and Additional Criteria

The common criteria will still refer to the complete set of criteria for the security category, which is what the remaining categories are based on. There will also be additional criteria for each individual category. For example, if a service organization includes both security and availability categories, the SOC 2 audit will be assessed on compliance with the common criteria as well as the following additional criteria for the availability category:

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

There are some slight terminology changes in the 2017 SOC 2 Trust Services Criteria. Security, availability, processing integrity, confidentiality, and privacy are now known as categories. Anything that relates to all five of those categories is still referred to as common criteria. There’s additional criteria that’s provided for availability, processing integrity, confidentiality, and privacy – basically anything other than security. It’s important to know how this criteria is organized throughout the SOC 2 framework so that you can tackle your audit and become compliant with the SOC 2 requirements.

SOC 2 Academy: Points of Focus

What is a Point of Focus?

In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements, because not all points of focus will be applicable to all organizations. These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.

Specific Points of Focus

For example, CC1.1, under the common criteria and COSO’s control environment component, states, “The entity demonstrates a commitment to integrity and ethical values.” The specific points of focus for this include the following:

  • Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
  • Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
  • Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
  • Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
  • Considers Contractors and Vendor Employees in Demonstrating Its Commitment – Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.

Organizations pursuing SOC 2 compliance would then choose to follow the guidance of the points of focus that apply to them. This ensures that their controls demonstrate the organization’s commitment to integrity and ethical values.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

One of the enhancements to the SOC 2 Trust Services Criteria in 2017 has to do with the inclusion of points of focus. The criteria now include points of focus, given by the AICPA, that really give you important characteristics about the criteria. These are not requirements; these are not things that you have to do, but they’re very helpful to reference. You can go into our Online Audit Manager and check out the resources in order to find these points of focus. One of the things that’s been very helpful about it is, many times in the SOC 2 criteria, you would read it and you wouldn’t really understand, at first glance, what it was talking about. The points of focus are there to help you understand the context of what the criteria is seeking to accomplish and how you might implement that within your own organization.

SOC 2 Academy: What’s New with SOC 2?

New Elements of SOC 2

In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.

Updates to the COSO Internal Control Framework

The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.

What are the 17 Principles of Internal Control?

The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:

What are the 17 Principles of Internal Control?

The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Video Transcript

The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.

One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.

You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.

SOC 2 Reporting Update: 2017 Trust Services Criteria

SOC 2 Reporting Changes

You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.” Why the changes? The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.

Name Change – Trust Services Criteria

The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.” Security, availability, processing integrity, confidentiality, and privacy are still the five categories under this revised name, and they are integrated with the 2013 COSO framework. Because the 2013 COSO framework uses “principles” to refer to the factors of internal control, ASEC removed “principles” from the original name to avoid any misunderstandings.

Integration with the 2013 COSO Framework

What else has changed with SOC 2 reporting, other than a name change? SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. It makes sense for the Trust Services Criteria to have integration with the 2013 COSO framework because they are both assessing internal controls. The Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system. The 2013 COSO framework assesses internal controls relating to control environment, risk assessment, information and communications, monitoring activities, and existing control activities. Service organizations’ controls must meet the 17 internal control principles that align with COSO’s five components of internal control, along with some new, supplemental criteria. The 17 internal control principles include:

SOC 2 Reporting Infographic: 2017 Trust Services Criteria

These internal control principles don’t map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

Supplemental Criteria

In addition to the 17 internal control principles from the 2013 COSO framework and the Trust Services Criteria, service organizations must meet new, supplemental criteria that address cybersecurity risk. These supplemental criteria include:

  • Logical and Physical Access Controls – How service organizations implement logical and physical access controls to prevent unauthorized access to protect information assets.
  • System Operations – How service organizations manage the operation of their systems to detect, monitor, and mitigate security incidents.
  • Change Management – How service organizations determine the need for changes to infrastructure, data, software, and/or procedures, securely make changes, and prevent unauthorized changes.
  • Risk Mitigation – How service organizations identify, select, and develop risk mitigation activities for risks arising from vendors, business partners, and other disruptions.

Points of Focus

Another new element to the 2017 Trust Services Criteria are points of focus. While integrated into COSO, points of focus are new to SOC 2 reporting and the Trust Services Criteria. Points of focus are just that – details or characteristics to focus on and should be included in the design, implementation, and operation of an internal control. Points of focus will assess whether the 17 internal control principles from the 2013 COSO framework, Trust Services Criteria, and supplemental criteria are implemented and functioning. Points of focus are characteristics that auditors have always generally incorporated into their review, but with this SOC 2 reporting update, points of focus are now defined.

The supplemental criteria for risk mitigation (CC9.1) states, “The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.” What details or characteristics of this internal control should your organization focus on? The points of focus listed include:

  • Considers Mitigation of Risks of Business Disruption – Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
  • Considers the Use of Insurance to Mitigate Financial Impact Risks – The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.

It’s important to note that an assessment of points of focus is not required; not all points of focus are applicable to every service organization or situation. You can have effective internal controls without addressing every single point of focus.

How Does This Affect Your Organization?

Since the 2017 Trust Services Criteria was released in April 2017, SOC 2 reports have been required to state which set of criteria was used – 2016 Trust Services Principles and Criteria or 2017 Trust Services Criteria. Beginning December 15, 2018, SOC 2 reports must use the 2017 Trust Services Criteria. If your organization pursues SOC 2 Type II attestation, you should begin determining what your next SOC 2 audit period will be and how the integration with the 2013 COSO framework, supplemental criteria, and points of focus will affect your audit.

The AICPA has published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria to help you further understand this SOC 2 reporting update. For more information on Trust Services Criteria or SOC 2 services, contact us today.