Availability Trust Services Criteria in a SOC 2 Audit

The available Trust Services Criteria (TSC) as defined by the American Institute of Certified Public Accountants (AICPA) that can be included in a SOC 2 audit are the following:

  • Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability. Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

The only TSC that is required to be in every SOC 2 examination is the security TSC. The other four TSCs are options to be included in the examination at the discretion of the service organization.

In this post we will look specifically at the availability criteria. For additional information on the current SOC 2 guidance, refer to our article on the New Trust Services Criteria.

What is the Availability Trust Services Criteria?

As illustrated above, the AICPA defines the availability trust services criteria as “Information and systems are available for operation and use to meet the entity’s objectives.”Availability is a commonly included TSC since providing evidence that systems are available for operation is key to many clients of service organizations.

A lot of service organizations are providing an outsourced service to their clients, and most of these will have contractual requirements or service level agreements (SLAs) in place around the services being provided. Because of these requirements and SLAs, the availability TSC is great to include to evidence this. Data centers and service organizations that provide software as a service (SAAS) commonly include the availability TSC.

How do I Know if my Organization Needs the Availability TSC?

Choosing the correct principles to include in the scope of a SOC 2 examination is an important process. A service organization should be educated on the principles and the applicability they have on their system. Having knowledge and counsel of an experienced firm that performs SOC 2 examinations is very beneficial and will result in a more successful examination.

At Linford & Company we have helped many clients determine the boundaries of their system and select the appropriate TSCs to include in their examination. Contact us for a free consultation to perform a SOC 2 audit or any other audit or assessment from our auditing services.

When we are talking to prospective (and existing) clients about which criteria to include, we generally find out two different things. Specific to availability, we ask:

  1. Is the availability of your systems key to your clients?
  2. Are your clients asking for the availability TSC?

If availability is key to your clients, it should be included in your SOC 2.

For example, if the service organization is a data center, availability is certainly a key service provided, because if the data center goes down, the client’s business will be impacted. Clients of the data center would likely expect elements of availability of the data center included in the report. Many clients will specifically ask that availability be included in the report.

What additional testing is included in the availability TSC?

What Additional Testing is Included in the Availability TSC?

There are three additional criteria that are tested as part of the availability TSC (see all of the criteria, including the below availability criteria in the AICPA’s criteria mapping).

  • A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
  • A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.

To identify what testing will be included with the addition of the availability trust services criteria, the service auditor will walk through the services provided to your clients and identify control points in the process. This could include controls such as (these are just a few examples taken from the AICPA’s illustrative mapping (Mapping of 2017 TSC to 2016 TSC)):

  • Measures Current Usage—Measurement of use of system components is performed to establish a baseline for capacity management and to refer to when evaluating the risk of lack of availability due to capacity constraints.
  • Forecasts Capacity—A forecast and comparison of expected average and high use of system components to system capacity and tolerances is performed. Considerations include capacity in the event there is a system failure.
  • Identifies Environmental Threats—Management identifies environmental threats as part of the risk assessment that could impair the availability of the system. These could include threats resulting from weather, failure of environmental control systems, electrical discharge, fire, and flood/water.
  • Designs Detection Measures—Measures are implemented for detecting anomalies that could result from environmental threat events.
  • Implements and Maintains Environmental Protection Mechanisms— Environment protection mechanisms are implemented by Management to prevent and mitigate against environmental events.
  • Responds to Environmental Threat Events—Procedures have been developed and put in place for responding to environmental threats and for evaluating the effectiveness of those policies and procedures on an ongoing or periodic basis. This includes, but is not limited to, automatic mitigation systems (i.e., UPS and generator back-up subsystem).
  • Implements Business Continuity Plan Testing—Business continuity plan testing is performed on at least an annual basis. The testing includes (1) developing testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from the entire entity that can impact availability; (3) scenarios that consider the potential for lack of availability of key personnel; and (4) updating continuity plans and systems based on test results.
  • Tests Integrity and Completeness of Back-Up Data—The integrity and completeness of back-up information is tested on at least an annual basis.

Summary

While the availability TSC is not required in a SOC 2 examination, it is an important TSC for many service organizations to demonstrate availability.

Linford & Company has extensive experience providing SOC 2 examinations, including pre-assessments to help prepare companies go through the process of obtained a SOC 2 for the first time. If you are interested in learning more about SOC 2 examinations or any of the services provided by Linford & Co, please click the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, FedRAMP, Processing Integrity.