The American Institute of Certified Public Accountants (AICPA) released the 2017 Trust Services Criteria, which allow for enhanced SOC 2 reporting by providing greater coverage over IT governance and operational management. The new Trust Services Criteria must be adopted for SOC 2 examinations for reports with periods ending after December 15, 2018.
The AICPA’s updates will have a significant impact on SOC 2 reports. Here are the most important changes:
- Trust Services Criteria are now aligned with the COSO 2013 framework
- Trust Services Principles are renamed Trust Services Criteria
- Previous principles—Security, Availability, Processing Integrity, Confidentiality, and Privacy—are renamed as Trust Services Categories
- Points of focus have been added to all Trust Services Criteria
Transition Steps for Organizations
To transition to the 2017 Trust Services Criteria, organizations must map their current SOC 2 controls to the new criteria, identify gaps, and determine what additional controls they might need to add.
In mapping current SOC 2 controls to the 2017 Trust Services Criteria, organizations can use the new points of focus issued as a guide for the types of controls needed to meet each criteria.
After mapping, organizations can identify gaps in control coverage where remapped controls don’t fully meet the 2017 Trust Services Criteria.
While each organization will have its own control gaps to address, some common gaps in coverage include the following:
- Independent oversight by a board of directors or similar governance group
- Use of quality information and identification of controls based on the identification and assessment of risks
- Consideration of fraud in assessing risks
- Logical and physical protections over the destruction of assets
- Detection and monitoring procedures associated with system and integrity checks
- Risk mitigation for business disruption and recovery
Determine Controls Needed
Organizations must assess what controls are needed for remediating the gaps they’ve identified. These controls could be ones that an organization already has in place but hasn’t previously reported for SOC 2, or they might be controls that an organization needs to implement.
The sooner an organization can anticipate potential gaps under the 2017 Trust Service Criteria, the greater potential lead they’ll have to institute new control practices and avoid introducing exceptions into future SOC 2 reports.
We’re Here to Help
If you’d like to help in simplifying the transition of your SOC 2 report to the 2017 Trust Services Criteria, contact your Moss Adams professional.