The AICPA Assurance Services Executive Committee (ASEC) has released a new set of Trust Services Criteria (TSP Section 100) for SOC 2, SOC 3, and SOC for Cybersecurity engagements. The organizational structure and level of detail documented in the new criteria are fairly different, but the general concepts remain fairly similar.
Slight Name Change: Trust Services Criteria
The former nomenclature was Trust Services Principles and Criteria, and now it is just shortened to Trust Services Criteria. Interestingly, the AICPA did not change the acronym for the codification of the guidance, even though they removed ‘Principles’ from the name. The acronym is still TSP, and the guidance can be found at TSP Section 100.
Why the Change?
The AICPA lists the following the key benefits of the new criteria:
- Alignment with the 2013 COSO Internal Control—Integrated Framework
- Better addresses cybersecurity risks
- Increases flexibility in application
COSO Internal Control–Integrated Framework
The 2013 COSO Internal Control—Integrated Framework is commonly recognized and is used to assess the design and effectiveness of an entity’s internal control over financial reporting. Integrating this well-respected framework into the Trust Services Criteria makes sense, because like COSO, the Criteria are used to evaluate internal controls – specifically controls over security, availability, processing integrity, confidentiality, and privacy. COSO is made up of 17 principles which are grouped into the following categories:
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
Supplemental Trust Services Criteria
COSO Principle 12 provides the following guidance: “The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.” To build on that concept, the new Trust Services Criteria describes specific control activity criteria (supplemental criteria) beyond the COSO principles that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. TSP Section 100.05 describes the supplemental criteria:
- Logical and physical access controls. The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
- System operations. The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
- Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
- Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.
Specific Criteria for Additional Trust Services Categories
As seen in previous versions of the Trust Services Principles and Criteria, there are common criteria for all five of the trust services categories. The security category consists of the complete set of the common criteria, and then there are additional criteria specific to availability, processing integrity, confidentiality, and privacy. It is also important to note that the general definitions of each of the categories were not revised for the 2017 guidance.
Points of Focus
Points of focus are new to SOC reporting, but have been a part of the COSO framework. Each criterion is presented with a list of several points of focus – or characteristics important to that criteria. The points of focus provide more detail as to the aspects that should be included in the control design, implementation, and operation. The 2017 Trust Services Criteria consist of 33 common criteria with almost 200 points of focus. For all five categories, there are 61 criteria with almost 300 points of focus.
Points of Focus Considerations
The numbers listed above should not cause too much worry, because most of the points of focus are what SOC auditors are reviewing already, they just had not been spelled out in this way in the past. In addition, not all points of focus are suitable or relevant to the entity or engagement. The guidance at TSP 100.04 also mentions that an assessment of whether each point of focus is addressed is NOT required.
Points of Focus Example
Points of focus are best illustrated with an example from TSP Section 100.
One of the logical and physical access control criteria (CC6.8) is “The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.”
The Trust Services Criteria then list the following points of focus:
- Responds to Security Incidents—Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis.
- Communicates and Reviews Detected Security Events—Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.
- Develops and Implements Procedures to Analyze Security Incidents—Procedures are in place to analyze security incidents and determine system impact.
- Assesses the Impact on Personal Information—Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.
- Determines Personal Information Used or Disclosed—When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.
The Timeline – Key Date: Dec. 15, 2018
The 2016 trust services principles and criteria were effective for periods ending on or after December 15, 2016, but a new set of Trust Services Criteria were released just months later in April of 2017. Currently, either set of criteria can be used for SOC 2 reporting, but it should be specified in the report which set of criteria (2016 or 2017) have been used. However, beginning December 15, 2018, all reports should be issued using the 2017 Trust Services Criteria. In 2018 or earlier, companies should be reviewing the points of focus and their relationship to the design, implementation, and operation of controls at the organization.
Resources – Where to Find the New Trust Services Criteria
The 2017 Trust Services Criteria can be purchased (downloadable or hard copy) from the AICPA store: Trust Services Criteria. The AICPA has also provided a mapping document, which shows how each of the new criteria and points of focus relate to the 2016 Trust Services Principles and Criteria: Mapping
Linford & Company has extensive experience providing SOC 2 examination services, including pre-assessments to help prepare companies for the examination under the new guidance. If you are interested in learning more about all the services provided by Linford & Co, please click the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.