Open Mobile Menu


Filed In: SOC 1/2

It’s Time to Use the Latest SOC 2 Trust Services Criteria, Are You Ready?

Views: 5387

Written By: Matthew Cooper December 14, 2018

Starting this weekend, all SOC 2 reports with review periods ending after December 15th, 2018 must be conducted using the American Institute of Certified Public Accountants’ (AICPA) April 2017 release of the Trust Services Criteria. This blog post describes the major changes to the criteria and provides some advice for using it to prepare for your next SOC 2 audit.

Highlights of the Changes to the New SOC 2 Trust Services Criteria

The major change to the 2017 SOC criteria is the alignment with the COSO 2013 Integrated Framework. The COSO Integrated Framework is a framework for internal control; its primary function being to provide reasonable assurance as to the accuracy of external financial reporting. The Sarbanes-Oxley Act (SOX), Section 404, requires publicly-traded companies to select and implement an internal control framework, and the vast majority of U.S. publicly traded companies adopted the COSO Framework.

COSO defines internal control as follows:

Internal control is a process, effected by an entity’s board of directors, manage­ment, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.   

Based on this definition of internal control, one can see the relevance for SOC 2 reporting. A SOC 2 audit and report demonstrates that an organization has sufficient management and board-level processes to provide reasonable assurance that it will achieve its information security objectives related to operations, reporting, and compliance. 

The COSO Framework is comprised of five integrated components:

  • Control Environment – These are the processes, standards, and structures that provide the basis for effective internal control. The control environment includes standards for conduct, integrity and ethical behavior, processes for board oversight, structures for management authority, responsibility and oversight, processes for attracting, developing and retaining competent staff, incentives, and processes for measuring performance. 
  • Risk Assessment – In COSO, risk assessment requires management to establish clear objectives for operations, compliance, and reporting, and then implement processes to continuously identify and assess risks to the achievement of those objectives. Effective risk assessment processes must also consider internal and external changes to the organization and business environment that may affect the functioning of internal control.
  • Control Activities – These are the actions established through policies and procedures that ensure management’s risk mitigation directives are carried out to meet objectives. Control activities can be preventative or detective, manual or automated, and include controls such as reviews, approvals, reconciliations, and authorizations. Segregation of duties controls are typically included in the control activities.
  • Information and Communication – This component considers the processes for identifying and capturing relevant, quality information from both internal and external sources. Once captured, relevant information must be communicated both internally and externally in support of control activities.
  • Monitoring Activities – Ongoing and separate evaluations must be implemented to determine that the components of internal control are present and functioning. Ongoing evaluations built into various levels of the business process should provide timely information. Separate, periodic evaluations, with varying scope and frequency should also be conducted. Findings should be evaluated against relevant criteria and standards, and deficiencies communicated to management and the board as appropriate.

Because the COSO Integrated Framework was designed primarily for financial controls, the AICPA added four (4) additional, technology-focused criteria, to the 2017 SOC2 TSC under COSO Principle 12. The four additional criteria will be familiar to those who have undergone a SOC 2 audit under the previous 2016 Trust Services Principles and Criteria. The four criteria are as follows:

  • Logical and Physical Access – These criteria relate to the way an entity restricts logical and physical access, provides and removes access, and prevents unauthorized access.
  • System Operations – This relates to the management of system operations including detection and mitigation of processing and security deviations.
  • Change Management – These criteria relate to the process for identifying and controlling changes to the environment and preventing unauthorized changes.
  • Risk Mitigation – These criteria are relevant to how the entity identifies and implements risk mitigation activities related to potential business disruptions and relationships with third party vendors and partners.

Points of Focus

Whereas the old SOC 2 TSCP listed the criteria followed by illustrative risks and illustrative controls, the new version lists the criteria followed by “points of focus.” According to the AICPA, points of focus are supposed to represent important characteristics of the criteria. Their purpose is to assist management and auditors when both designing and implementing controls as well as evaluating their design, suitability and operating effectiveness. It is important to note that some points of focus may not be suitable or relevant for a particular entity. Alternatively, an entity may choose to develop additional points of focus for their environment.

Trust Services Categories

Lastly, the five SOC 2 Principles, Security, Availability, Confidentiality, Processing Integrity and Privacy, will now be referred to as the Trust Services Categories, this change was made to avoid confusion with the use of the term “principles” in the COSO Framework.

Practical Advice for Using the 2017 TSC

For users of the old SOC 2 TSPC, the new version will take some getting used to. There are more controls in it than in the 2016 TSPC, and some of the points of focus may seem a bit vague or irrelevant, that is partly because all of the original COSO points of focus were carried over into the SOC 2 principles and tied to the internal controls of information security.

The AIPCA has created mappings between the 2017 TSC and the 2016 TSCP, ISO 27001,l NIST CSF, and COBIT5.

I recommend that you utilize mappings to the previous 2016 TSCP or other standards with which you are familiar. In addition, work with your SOC 2 audit firm and ask them for a sample Document Request List (DRL) based on the 2017 TSC. Make sure that your auditors can provide you with a DRL prior to the audit, as this will be one of the most valuable resources for understanding how they will interpret the SOC 2 criteria as it applies to your organization and your selected audit categories.

Feel free to email me if you have any questions or to discuss your readiness for a SOC 2 audit.

At AppSec Consulting, we assist organizations in all industries prepare for, and successfully pass, SOC 2 audits. Let me know how we can help you.

Matthew Cooper

In his role at AppSec Consulting, Matt is responsible for IT risk assessment, data security and privacy consulting, security and compliance framework gap assessment and audit support, physical security assessment, policy and procedure development, development of client training and security management programs, PCI ASV scanning, and the creation of tools and methodologies to support the Strategic Advisory Services practice. Matt’s background includes systems administration and level three support for a fortune 1000 public company, and extensive security management responsibility working for one of the largest international security services and technology companies in the world, managing over 200 employees and an approximately $8 million book of business. Matt has a wide range of expertise in diverse business areas, including risk assessment, information security and privacy, compliance management, operational and financial planning, business development, personnel management, client success, and contract management.   

read more articles by Matthew Cooper