How to Comply with Trust Services Criteria for SOC 2 Examinations

Most technology companies have a need for SOC 2 examinations, also known as audits, regardless of their line of service, because they store, process, or maintain client data.

SOC 2 examinations emphasize the effectiveness of internal controls related to the Trust Services Criteria.

The Trust Services Criteria are used to evaluate and report on controls over information and systems in the following ways:

  • Across an entire entity
  • At a subsidiary, division, or operating unit level
  • Within a function relevant to the entity's operational, reporting, or compliance objectives
  • For a particular type of information used by the entity

What Are the Trust Services Criteria?

The latest American Institute of Certified Public Accountants (AICPA) 2017 Trust Services Criteria took effect for SOC 2 examinations  on or after December 15, 2018, allowing for enhanced system and organizational control (SOC) 2 reporting by providing greater coverage over IT governance and operational management.

The Trust Services Criteria include five trust services categories, as defined by AICPA:

  1. Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  2. Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  3. Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  4. Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  5. Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Each of these trust categories has predefined criteria.

Every report includes security as part of the common criteria. Management can choose which of the other trust services categories they’d like to include in the examination. For instance, if you believe a service provider is dealing with confidential information, then that trust services category should be included.

What Do the Trust Services Criteria Apply To?

The Trust Service Criteria apply to the following system components during a SOC 2 examination:

  • Infrastructure. Physical structures, IT, and other hardware, including facilities, computers, equipment, mobile devices, and telecommunications networks
  • Software. Application programs and IT system software that support application programs, such as operating systems, middleware, and utilities
  • People. Personnel involved in the governance, operation, and use of a system—namely developers, operators, entity users, vendor personnel, and managers
  • Procedures. Both automated and manual
  • Data. Transaction streams, files, databases, tables, and output used or processed by a system

Coverage of the Trust Services Criteria

Internal control is defined in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

The COSO Framework is designed to be used by organizations to assess the effectiveness of the system of internal control to achieve objectives as determined by management.

The 2017 framework lists five categories of components:

  1. Governance and Culture. Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
  2. Strategy and Objective-Setting. Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
  3. Performance. Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
  4. Review and Revision. By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
  5. Information, Communication, and Reporting. Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

The objective of effective Internal Control over Financial Reporting (ICFR) is to address risks related to financial reporting.

In simple terms, a company’s ICFR consists of controls designed to provide reasonable assurance that the company’s financial statements are reliable and prepared in accordance with the applicable financial reporting framework, such as generally accepted accounting principles in the US (GAAP) or international financial reporting standards (IFRS).

The five components of internal controls are below and are covered by the Trust Services Criteria:

  • Control environment. The control environment is a set of standards that are established via a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
  • Risk assessment. Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieve the entity’s objectives, and forms a basis for determining how risks should be managed.
  • Control activities. Control activities are actions established by the policies and procedures to help ensure management directives, intended to mitigate risks, are carried out.
  • Communication and information. Information is necessary for the entity to carry out internal control responsibilities in support of its objectives. Communication occurs both internally and externally, and provides the organization with information needed to carry out day-to-day internal control activities.
  • Monitoring activities. Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls that affect the principles within each component, are present and functioning.

Some other Areas included in the Trust Services Criteria are:

  • Logical and physical access controls. Controls related to the logical access security over software, infrastructure, and architectures over protected information assets to protect them from security events, in addition to controls related to physical access to facilities and protected information assets
  • System operations. Controls related to detecting and monitoring vulnerabilities, anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives, as well as the control to evaluate and respond to security incidents
  • Change management. Controls related to authorizing, designing, developing or acquiring, configuring, documenting, testing, approving, and implementing changes to infrastructure, data, software, and procedures to meet the entity’s objectives
  • Risk mitigation. Controls related to risk mitigation activities for risks arising from potential business disruptions and management of risks associated with vendors and business partners

What Are the Points of Focus?

For each Trust Services Criteria the AICPA provides corresponding points of focus. For all five categories where the COSO principles apply, there are 61 criteria with approximately 300 points of focus.

The points of focus provide important characteristics and help define controls for each criteria. Learn more about the focus points in our SOC Reports Overview.

What Is the Benefit of a SOC 2 Examination, or Audit?

SOC 2 examinations measure the effectiveness of internal controls related to five trust services categories. These reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

To learn more about the benefits of SOC 2 reports and how they could be used to reduce security questionnaires or vendor examination procedures, please see our article.

Most technology companies engage in SOC 2 examinations regardless of their line of service because they act as, or work with, clients to store, process, or maintain client data.

The number of SOC 2 examinations has increased sharply in recent years. This trend continues, largely due to increased security concerns that rise proportionally to the IT industry’s promotion of new products and services in the cloud, and events of disruption like the COVID-19 pandemic.

We’re Here to Help

For more information about the SOC 2 examination process or how your organization can map its current controls and identify gaps, please visit our services page and contact your Moss Adams professional.

Contact Us with Questions

Enter security code:
 Security code