The New SOC 2

Terry Ammons

Systems Partner

June 14, 2017

For those of you who have just gotten used to the changes in the AICPA’s Trust Services Principles and the related SOC 2 examination requirements, it’s time to start getting ready for the new SOC 2. Actually, there have been a number of changes lately around the AICPA’s SOC (System and Organization Controls) services but what we’re planning to focus on here is based on the revised Trust Services Criteria.

The AICPA’s Assurance Services Executive Committee (ASEC) issued an exposure draft dated September 15, 2016, proposing revisions of the Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy which have now been published and finalized. These changes will take effect for SOC 2 reports that are issued on or after June 15, 2018.

The following is a brief overview of the key changes to the TSC that you need to know about relating to SOC 2:

Now aligns with the COSO 2013 frameworkService organizations will have to ensure that their controls meet the 17 principles outlined in the COSO 2013 framework as well as the supplemental criteria noted below. There are a number of COSO Principles in the new framework that don’t map to the former Trust Services Criteria, so this will be a significant change that will likely require service organizations to restructure most of their internal controls.

Added supplemental criteria to better address cybersecurity risks. In addition to the 17 principles in the COSO 2013 framework, new supplemental criteria were developed and organized into the following categories:

  • Logical and physical access controls: relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
  • System operations: relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
  • Change management: relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
  • Risk mitigation: relevant to how an entity identifies, selects and develops risk mitigation activities and how the entity assesses and manages risks associated with vendors and business partners.

Has a new name. The COSO 2013 framework uses the term “principles” to refer to the elements of internal control. To avoid confusion, the TSC will remove the word “principles” from its original name and will be renamed more simply as the “Trust Services Criteria.”  In addition, the five principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy) will now be referred to as the Trust Services Categories.

The AICPA has published a helpful document that maps the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria, which as noted above, is based on the COSO 2013 framework. To see an example of the changes, you can view the Mapping of the 2017 Trust Services Criteria to the Extant 2016 Trust Services Principles and Criteria. The AICPA is expected to provide an updated Audit Guide within a month.

Even though the changes won’t take effect until 2018, service organizations need to plan for the changes now, to ensure that their internal controls are appropriate and will stand up to the new criteria.

This post was originally published on LinkedIn.