2018 Changes to SOC 2 Reporting

They’re at it again! Just when you get comfortable with the SOC 2 reporting requirements, the American Institute of Certified Public Accountants (AICPA) releases new ones. Here is a summary of the latest changes and the most important information you need to know regarding this update.

Why the changes were needed?

With business relationships becoming more critical to operations, and risks becoming more complex, the AICPA recognized the need to better address cybersecurity risks and increase transparency in internal controls and processes. As a result, they refined the criteria used in SOC 2 reports to reflect these needs.

What changes took place?

TSP 100 – 2017 Trust Services Criteria
Trust Services Principles and Criteria has been renamed Trust Services Criteria, and the five principles (security, availability, processing integrity, confidentiality and privacy) are now referred to as Trust Services Categories. The term “principles” was dropped to prevent confusion with the use of that term within the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework.

The Trust Services Criteria have been rearranged and realigned with the 17 principles in the COSO 2013 framework to allow them to be used in entity-wide engagements. The COSO 2013 framework is widely used around the world and is recognized as a leading framework for internal controls. Additional criteria has been included to align with various cybersecurity risks, fraud risk assessments, and risks related to vendors and business partners – resulting in nine classifications of the SOC 2 common criteria instead of the previous seven. Additional criteria are available for the availability, processing integrity, confidentiality and privacy categories. To facilitate the restructuring, the AICPA has provided a mapping of the previous Trust Services Criteria with the updated criteria.

Since judgment is involved in applying the trust services criteria to business practice, the update includes points of focus for each criteria. These points of focus provide items for consideration in applying the criteria and assist management and the CPA firm in evaluating whether the controls are suitably designed and operating effectively. Keep in mind, however, that not all points of focus are required to be addressed.

Additional Management Description Criteria Requirements
In January 2018, the AICPA released a revised version of the Description Criteria, which requires management to explicitly disclose the following:

• Specific service commitments and requirements of the system used to provide the organization’s service to its customers (user entities).

• Information related to system incidents at a level necessary to understand the nature of the incident and risks faced by the service organization. System incidents could include those resulting from the organization’s failure to achieve its service commitments and requirements or those resulting from controls that were not designed or operating effectively to meet service commitments or system requirements.

When do the changes take effect?

The new guidance must be implemented for SOC reports with periods ending after December 15, 2018. However, early adoption of the new guidance is permitted. This is an important consideration for service organizations going through their first SOC 2 exam in 2018.

What do these changes mean for you?

The updates to the Trust Services Criteria represent the most significant change to the criteria since the inception of the SOC 2 report. With the alignment to the COSO 2013 framework, the number of controls included will increase from what is required in current reports using the 2016 TSP 100A criteria.

How should you prepare for these changes?

We would be pleased to discuss the SOC 2 changes with you, so you can fully understand the new requirements and develop a strategic road map to meet the new standards. In addition, we can provide a readiness assessment prior to your organization’s next SOC 2 exam to facilitate a smooth transition to the new requirements and criteria.

Here are some next steps to consider:

• Gain an understanding of the new SOC 2 criteria.

• Review the timeline your report typically covers (or is anticipated to cover) to determine if the changes will affect your 2018 report.

• Assess your organization’s current readiness – determine the additional controls and Management Description updates needed to bridge any identified gaps for reporting under the 2017 Trust Services Criteria, then evaluate how long it will take you to implement the new controls and requirements.

• Update the Management Description and your report disclosures to include the service commitments and system requirements that are communicated to, and consistent with, all of your users.

• Log all potential incidents and evaluate if any occurred that are material to achieving system commitments for potential disclosure.