Updates to the AICPA’s SOC 2 Framework

The American Institute of Certified Public Accountants (AICPA) recognizes the growing demand for transparency and strengthened controls within multifaceted risk environments. The SOC 2 framework continues to improve the security measures that should be implemented to protect organizations against emerging threats.

Following the Trust Services Criteria (TSC) section 100 publication in 2017, the AICPA announced the revisions have been finalized and will be required for SOC 2 reports with review periods ending after December 15, 2018.  The Trust Services Principles (TSP) issued in 2016 will be available in section 100A through December 15, 2018; after that date, the 2016 criteria will be superseded by the TSCs.

The updated SOC 2 framework includes several significant changes, including the following:

  • Renaming Trust Services Principles and Criteria (TSP) to Trust Services Criteria (TSC)
  • The SOC acronym has transitioned from Service Organization Controls to System and Organization Controls
  • Alignment of the TSC to the COSO 2013 framework
  • Adding new criteria and points of focus

COSO 2013 Framework

The AICPA’s restructuring of the TSC to the COSO 2013 framework enables the TSC to become more applicable to system-level controls of a service organization or entity-level controls of other organizations.  The framework’s principles are segmented into 5 specific categories:

  • Control Environment
  • Communication and Information
  • Risk Assessment
  • Monitoring Activities
  • Control Activities

The AICPA has developed enhanced supplemental criteria that map to the COSO principles to address cybersecurity risks. The new criteria have been structured and categorized in the following headings:

  • Logical and Physical Access
  • System Operations
  • Change Management
  • Risk Mitigation

2018 SOC 2 Reporting Updates

New SOC 2 Criteria

When cross-referencing the previous 2016 TSP and COSO 2013 principles, organizations conducting the new SOC 2 examination will be required to test two new criteria: Risk Mitigation and Control Activities.

Risk Mitigation

One of the new criteria for SOC 2 is Risk Mitigation, which will require an appropriate risk mitigation program. By identifying, selecting and developing risk mitigation activities, organizations will be better able to assess and manage the risks arising from potential business disruptions and the use of vendors and business partners.

Control Activities

Under the Control Activities criteria, organizations must select and develop control activities over technology that contribute to the mitigation of risks to achieve objectives and deploy each control activity through relevant policies and procedures. The control activities can include both business processes and technological environments.

Modifying Trust Services Principles and Criteria – Includes Points of Focus

The five criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) will be referred to as the Trust Services Categories. This was done to avoid confusion with the COSO 2013 verbiage that utilizes the term “principles” for their internal controls.

To help organizations navigate and identify appropriate controls, the update has added Points of Focus for each criterion. Within the Points of Focus there are important characteristics regarding the criteria, which allows for a better application. For the practitioner, the points of focus assist in the evaluation the controls and determine if the criteria are present and functioning.

Planning for the New SOC 2

In the transition period leading up to the December 15 implementation date, organizations can adopt the 2017 TSCs. With alignments to the COSO 2013 Framework and additional criteria, it is anticipated that the number of controls included in the updated SOC 2 report will increase.

To ensure that internal controls are suitable and meet the new criteria, organizations should begin planning for the changes and conduct a gap assessment against their existing SOC 2 audit to identify areas of improvement required to meet the new reporting requirements. While these changes may be significant, the update is another step towards better addressing industry trends and creating more transparency for information security. The AICPA has released the following 2017 TSC mappings relevant to the SOC Suite of Services so that organizations can prepare for the upcoming change:

  • 2016 TSP
  • ISO 27001
  • COBIT5

Need assistance in preparing for the SOC 2 update or conducting a gap analysis? Contact the professionals at A-LIGN at [email protected] or call 1-888-702-5446 for more information.