The AICPA recently issued new Trust Services Principles (TSP Section 100) in April 2016 which supersedes the previous version issued in 2014. The most significant changes to the TSP include the following:
- Restructures and creates a new set of privacy criteria that is incorporated as part of the common criteria method of assessment and reporting. As such, privacy principles is now consolidated into a more concise set of additional criteria for privacy that is to be reported as part of the common criteria report instead of a separate report for Generally Accepted Private Principles.
- Revised Appendix B, “Illustration of Risks and Controls for Sample Entity” to include additional privacy criteria and examples of risks that may prevent the privacy criteria from being met as well as controls designed to address those risks.
- Modified criteria CC3.1 and CC3.2 to specifically require the need to address potential threats including those arising from the use of vendors and other third parties providing goods and services. This also includes threats from customer personnel and others with access to the system.
- Eliminated CC3.3, it was merged into CC3.1 and CC3.2 for redundancy.
- Two new confidential requirements (C1.7 and C1.8) were introduced to address the retention and disposal of confidential information.
The new trust services principles and criteria are effective for periods ending on or after December 15, 2016, with early implementation permitted. Please refer to this page for a listing of all the changes that were incorporated into the new Trust Service Principles. You can also see the full guidance for purchase through the AICPA website.
Companies should review these new changes and began assessing whether their organization has sufficient controls to address these risks. For a free 2-hour consultations regarding your SOC readiness or other needs, please contact Andrew Wan, Audit Partner, at awan@larsco.com.