Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.
In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.
The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.
Currently, SOC 2 reports focus on five Trust Services Principles (TSP):
|•||Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.|
|•||Availability: Information and systems are available for operation and use to meet the entity's objectives.|
|•||Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.|
|•||Confidentiality: Information designated as confidential is protected to meet the entity's objectives.|
Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.
New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:
|•||Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.|
|•||Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.|
|•||Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.|
|•||Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.|
|•||Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.|
Points of Focus
The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.
Webinar on Changes Coming Soon
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.
BerryDunn's experts are hosting a Q&A webinar in February 2018 to explain the new TSC format and answer any questions. In the coming months we will provide follow-up reference materials. Tracy Harding, CPA, a principal on our audit and accounting team, is a member of the Accounting Standards Board . As part of his role, he has reviewed the updated SOC 2 audit guide and will provide his initial thoughts in the webinar. Contact us to learn more about how we can help you gain control of your SOC 2 reporting efforts.
Click here if you would like us to let you know when we have a SOC 2 update.