It has been several years since the AICPA has made updates to what is required to be covered in a SOC 2 examination, and specifically to the trust services criteria. Previously called Trust Services Principles, or Trust Services Principles and Criteria, the AICPA dropped “Principles” several years back and now just calls them Trust Services Criteria, though periodically you will still hear a reference to “Principles.” The AICPA did not change the acronym for the codification of the guidance, as the criteria are still referred to as TSP in the guidance and can be found at TSP section 100. Trust Services Criteria are commonly referred to as TSCs.
The updated trust services criteria are required to be used on any report issued on or after December 15, 2018. Any reports currently being issued should reference and be mapped to the 2017 trust services criteria. The most recent AICPA SOC 2 guide was issued in January of 2018.
What Are the Five Trust Services Criteria?
There are five criteria that are available to be included in a SOC 2 examination. The five criteria are listed below (with links to articles on each criterion).
The Trust Services Criteria
Security Criteria: SOC 2 Common Criteria
The only criteria that is required to be in a SOC 2 examination is the security criteria, which is also known as the common criteria. The security criteria is referred to as common criteria because many of the criteria used to evaluate a system are shared among all five of the Trust Services Criteria.
For example, the criteria related to risk management applies to four of the criteria (security, processing integrity, confidentiality, and availability). The common criteria establishes the criteria common to all the trust services criteria and the comprehensive set of criteria for the security criteria.
When a service organization’s client wants to know their information/data is secure and protected, they are likely interested in the security criteria. This criteria is comprehensive enough that including it in the scope of the examination alone will likely be enough for service organization’s clients to get the assurance they need with respect to the security of their information/data.
The other available criteria can be added to the examination at the discretion of management, or if it is determined that the criteria are key to the services being provided.
Prior to deciding on the criteria to include in the SOC 2 examination, the service organization, with the help of its auditor, should determine the system and its boundaries relevant to the services that are being provided. This should include contemplation of the entire environment, including software, infrastructure, procedures, data, and people. After the scope of the examination has been determined, it can then be decided which of the criteria are pertinent to the service organization’s services and system.
Which Criteria Do You Include in Your SOC 2?
Determining which of the criteria to include in the scope of a SOC 2 examination is a key step in the SOC 2 planning process. A service organization should do their homework and know a little about the available criteria and if they apply to their services and system. It is also very important to get advice from an experienced accounting firm that can help navigate through the criteria and determine which ones are relevant.
Helping determine the criteria to include, as well as determining the boundaries of the system is something that we at Linford & Company do all the time as part of our SOC 2 audits.
What if a Client is Asking For All Criteria to Be Included?
A number of prospects and clients have asked us what to do if a client is asking for all criteria to be included but they do not think they all apply. As a general rule, all criteria do not need to be included, but there are cases where clients ask for all because they do not know what they are asking for, and therefore asking for all covers everything. In these cases, we can be included in a conversation with the client and talk through the criteria and the relevance to the service provider. Many times this conversation helps to clear up which criteria truly are relevant to the subservice organization and should be covered in the SOC 2 examination.
Can Testing Occur in a SOC 2 Outside of the SOC 2 Criteria?
There can be flexibility in a SOC 2 examination to include mapping of controls to other certifications/regulations/frameworks. The AICPA guidance allows service organizations to complete a SOC 2 plus examination that includes a mapping to other certifications/regulations/frameworks. Linford & Company performs a number of SOC 2 examinations that include mappings. For example, a few of the more common SOC 2 plus examinations that we perform include HITRUST, NIST CSF, and HIPAA mapping.
How Do the 17 COSO Principles Integrate with SOC 2 Criteria?
Widely recognized, the COSO Framework is used often to evaluate the design and operating effectiveness of an entity’s internal controls. Because both COSO and the trust services criteria are used to evaluate internal control, with the last AICPA update to SOC 2 and the criteria, the criteria and the COSO framework were integrated. COSO is made up of 17 principles which are grouped into the following five categories:
- Control Environment
- Communication and Information
- Monitoring Activities
- Risk Assessment
- Control Activities
These five categories align with the first five criteria sections within the security/common criteria section.
Additional SOC 2 Criteria Outside of the COSO Principles
The 2017 Trust Services Criteria describe specific criteria in addition to the COSO principles that are mapped to evaluate the internal controls over the five trust services criteria. TSP Section 100.05 describes the additional criteria as follows:
- Logical and Physical Access: How an entity restricts access (physical and logical), adds and removes said access, and avoids unauthorized access.
- System Operations: How an entity manages the operation of the system(s) and detects and mitigates processing nonconformities, including access (physical and logical) security nonconformities.
- Change Management: How an entity recognizes the necessity for changes, executes the changes using a controlled process, and stops unauthorized changes from occurring.
- Risk Mitigation: How the entity recognizes, chooses, and advances risk mitigation activities that have occurred from business disruptions, and the monitoring and evaluation of the use of business partners and vendors.
Points of Focus in a SOC 2
Points of focus were new to SOC reporting with the 2017 trust services criteria but have been part of the COSO framework previously. For each criterion, there is a list of several associated points of focus. The points of focus deliver details as to the features that could be included in the design, implementation, and operation of the control related to the criterion. There are around 200 points of focus associated with the SOC 2 security/common criteria in the 2017 Trust Services Criteria. For all five categories (security, availability, processing integrity, confidentiality, and privacy) where the COSO principles map in, there are 61 criteria with almost 300 points of focus.
The numbers listed in the previous paragraph should not cause any alarm, because a majority of the points of focus are what SOC auditors should be reviewing already as part of the SOC 2 examination. The points of focus have not been listed with the criteria until the 2017 update. Additionally, not all points of focus are relevant to the service provider. An assessment of whether each point of focus is met by the service organization is not required according to the guidance at TSP 100.04, but rather just a guide or examples of controls that could meet the associated criteria.
What is the Difference Between a SOC 1 & SOC 2 Report?
The Trust Services Criteria are in a SOC 2 report only. So how is a SOC 1 different from a SOC 2 report? A SOC 1 report has a little more flexibility in what is tested and opined on by the auditor. In addition to reviewing security, a SOC 1 audit includes more of a focus on the service organization’s controls that may be or are relevant to an audit of their client’s financial statements. The service organization (with the help of the auditor) will figure out the key control objectives for the services they provide to clients, and that is what is included in the report. Control objectives in a SOC 1 always include objectives around IT general controls, but also include business processes at the service organization that impact their clients.
Where To find Additional Information On the Trust Services Criteria
The SOC 2 guide that includes the Trust Services Criteria can be purchased in the AICPA store. Additionally, a mapping document, which shows how each of the 2017 criteria and points of focus relates to the COSO principles can be downloaded from the AICPA.
Linford & Company has helped many new clients scope their needs for a SOC 2 audit, including identifying the boundaries of their system and determining the criteria needed in their examination. All clients are provided these services as part of the readiness assessment.
If you would like additional information about any of our services, please contact us or click on the following links: SOC 1, SOC 2, HIPAA audits, Royalty Audits, HITRUST, FedRAMP Compliance Certification.
This article was originally published on 10/18/2019 and was updated on 11/24/2021.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.