Are you looking for information about the new changes to the SOC 2 standards? Few reports have been issued under the new guidance, and many companies are seeking clarification on how and when their control systems and descriptions will be affected.

Main changes

The new criteria align the previous trust service criteria with the Committee of Sponsoring Organizations of Treadway Commission (COSO) 2013 framework for Internal Control. The COSO framework is a widely used and robust model for internal controls with 17 principles grouped into five components including control environment, communication and information, risk assessment, monitoring, and control activities. The new criteria also address cybersecurity risk and criteria specific to availability, processing integrity, confidentiality, and privacy. In doing this, some language has been changed to avoid confusion – the Trust Service Principles and Criteria are now just Trust Service Criteria, as COSO already used the term principles to refer to elements of internal control.

There are also new description criteria. Management and service professionals have been evaluating descriptions of the subject matter for many of these elements previously, but now the criteria are clearly defined.

These changes are effective for reporting periods ending after December 15, 2018.

Organization of new trust service criteria

Each criteria has underlying points of focus to help management and service professionals evaluate the design of controls. For example, CC1.1 is the criteria “the entity demonstrates a commitment to integrity and ethical values.” The first point of focus for this criteria is:

“Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.”

Points of focus are meant to serve as guides and companies do not need a control for each point of focus as long as existing controls provide reasonable assurance that criteria are met. For a complete list of the new criteria and points of focus and mapping to the old criteria, see the AICPA online tool.

New description criteria

Management and service professionals have been implicitly applying description criteria for some time, but the new criteria clearly define requirements for management’s description of the subject matter. Management’s description now should include:

  • Types of services provided
  • Principal service commitments and system requirements
  • Components of the system used to provide the services, including:
    • Infrastructure
    • Software
    • People
    • Procedures
    • Data
  • Description of system incidents
  • Applicable trust service criteria and applicable controls to provide reasonable assurance that service commitments and system requirements were achieved
  • Complimentary user entity controls
  • Complimentary subservice organization control

 

The most drastic change related to the management’s description is the requirement for principal service commitments, principal system requirements, and system incidents. These main additional disclosure requirements are defined as follows:

Principal Service Commitments – declarations made by service organization management to users entities about the system used to provide the service and the objectives of the system. Examples of such commitment statements maybe include:

  • The organization will provide a privacy notice to customers once every 6 months or when there is a change in the organization’s business policies.
  • The organization will respond to access requests within 10 working days of receiving the request from its customers.

Principal System requirements – specifications about how the system should function to meet the service organization’s commitments to customers, relevant laws and regulations, and guidelines of industry groups, such as business or trade associations. Examples of such system requirement statements maybe include:

  • Business processing rules and standards established by regulators, for example, security requirements under the Health Insurance Portability and Accountability Act (HIPAA)
  • Workforce member fingerprinting and background checks established in government banking regulations

System incidents – description regarding the nature, timing, and extent of any incidents that (a) were the result of controls that were not suitably designed or operating effectively or (b) otherwise resulted in a significant failure in the achievement of one or more of those service commitments and system requirements, as of the date of the description or during the period of time covered by the description.

Impact on You

New controls may need to be added to address previously unmitigated risks. For example the new criteria add controls related to governance, risk management, and 3rd party management. A mapping (see link) of the old 2016 Trust Service Principles and Criteria to the new 2017 Trust Service Criteria is available through the AICPA to aid in this process.

Management may need to modify the description of the subject matter or system to comply with enhanced description criteria.

Recommended Action

Review a mapping of your controls with the new criteria and identify control gaps. Make a plan and timeline for implementation of additional controls. Consider timing your next SOC report to end prior to December 15, 2018 to give additional time to implement.

Larson & Company is available to answer your questions on this new guidance. For information or to schedule your SOC engagement, please contact Andrew Wan at awan@larsco.com or at 801-984-1829. If you are new to SOC reporting, Larson & Company offers a 2-hour free initial SOC readiness assessment to help companies determine which SOC is best for their needs and also assist in identifying any control gaps the company may have.