In recent years, the AICPA has made updates to what is required to be covered in a SOC 2 examination. Previously called Trust Services Principles, or Trust Services Principles and Criteria, the AICPA has dropped “Principles” and now just calls them Trust Services Criteria. The AICPA did not change the acronym for the codification of the guidance, as the criteria are still referred to as TSP in the guidance and can be found at TSP section 100.
The previous trust services principles (2016 TSPs) and criteria were effective starting December 15, 2016. The updated trust services criteria were required to be used on any report issued on or after December 15, 2018. For 2020, any reports being issued should be referencing and mapping to the 2017 trust services criteria.
What are the Five Trust Services Criteria (formerly Principles)?
Though the AICPA changed the name, there are still five criteria that are available to be included in a SOC 2 examination. The five criteria and the definitions did not change with the updated 2017 guidance. The five criteria are listed below (with links to articles on each criteria)
The Trust Services Framework
Security Criteria: SOC 2 Common Criteria
The only criteria that is required to be in a SOC 2 examination is the security criteria, which is also known as the common criteria. The security criteria is referred to as common criteria because many of the criteria used to evaluate a system are shared among all of the Trust Services Criteria.
For example, the criteria related to risk management applies to four of the criteria (security, processing integrity, confidentiality, and availability). The common criteria establishes the criteria common to all the trust services criteria and the comprehensive set of criteria for the security criteria.
When a service organization’s client wants to know their information/data is secure and protected, they are likely interested in the security criteria. This criteria is comprehensive enough that including it in the scope of the examination alone will likely be enough for service organization’s clients to get the assurance they need with respects to the security of their information/data.
The other available criteria can be added to the examination at the discretion of management, or if it is determined that the criteria is key to the services being provided.
Prior to deciding on the criteria to include in the SOC 2 examination, the service organization, with the help of their auditor, should determine the system and its boundaries relevant to the services that are being provided. This should include contemplation of the entire environment, including software, infrastructure, procedures, data, and people. After the scope of the examination has been determined, it can then be decided which of the criteria are pertinent to the service organization’s services and system.
Which Criteria do you Include in your SOC 2?
Determining which of the criteria to include in the scope of a SOC 2 examination is a key step in the SOC 2 planning process. A service organization should do their homework and know a little about the available criteria and if they apply to their services and system. It is also very important to get advice from an experienced accounting firm that can help navigate through the criteria and determine which ones are relevant.
What if a Client is Asking for All Criteria to be Included?
A number of prospects and clients have come to us asking what to do if a client is asking for all criteria to be included but they do not think they all apply. As a general rule, all criteria do not need to be included, but there are cases where clients are asking for all because they do not know what they are asking for, and therefore asking for all covers everything. In these cases we can be included in a conversation with the client and talk through the criteria and the relevancy to the service provider.
Can Testing Occur in a SOC 2 Outside of the SOC 2 Criteria?
There can be flexibility in a SOC 2 examination to include mapping of controls to other certifications/regulations/frameworks. The AICPA guidance allows service organizations to complete a SOC 2 plus examination that includes a mapping to other certifications/regulations/frameworks. Linford & Company performs a number of SOC 2 examinations that includes mappings.
How do the 17 COSO Principles Integrate with SOC 2 Criteria?
Widely recognized, the 2013 COSO Framework is used a lot to evaluate the design and operating effectiveness of an entity’s internal controls. Because both COSO and the trust services criteria are used to evaluate internal control, it made a lot of sense to integrate them. COSO is made up of 17 principles which are grouped into the following five categories:
- Communication and Information
- Control Environment
- Monitoring Activities
- Risk Assessment
- Control Activities
These five categories align with the first five criteria sections within the security/common criteria section.
Additional SOC 2 Criteria Outside of the COSO Principles
The following guidance is included in COSO Principle 12: “The entity deploys control activities through policies that establish what is expected and procedures that put policies into action.” The 2017 Trust Services Criteria describe specific criteria in additional to the COSO principles that are mapped in to evaluate the internal controls over the five trust services criteria. TSP Section 100.05 describes the additional criteria as follows:
- Logical and physical access: How an entity restricts access (physical and logical), adds and removes said access, and avoids unauthorized access.
- System operations: How an entity manages the operation of system(s) and detects and mitigates processing nonconformities, including access (physical and logical) security nonconformities.
- Change management: How an entity recognizes the necessity for changes, executes the changes using a controlled process and stops unauthorized changes from occurring.
- Risk Mitigation: How the entity recognizes, chooses, and advances risk mitigation activities that have occurred from business disruptions, and the monitoring and evaluation of the use of business partners and vendors.
Points of Focus in a SOC 2
Points of focus are new to SOC reporting with the 2017 trust services criteria but have been part of the COSO framework previously. For each of the criterion, there is a list of several associated points of focus. The points of focus deliver details as to the features that should be included in the design, implementation, and operation of the control related to the criterion. There are around 200 points of focus associated with the SOC 2 common criteria in the 2017 Trust Services Criteria. For all five categories (security, availability, processing integrity, confidentiality, and privacy) where the COSO principles map in, there are 61 criteria with almost 300 points of focus.
The numbers listed in the previous paragraph should not cause any alarm, because a majority of the points of focus are what SOC auditors should be reviewing already as part of the SOC 2 examination. The points of focus have not been listed with the criteria until the 2017 update. Additionally, not all points of focus are relevant to the service provider. An assessment of whether each point of focus is met by the service organization is not required according to the guidance at TSP 100.04.
What is the Difference Between a SOC 1 and SOC 2 Report?
The Trust Services Criteria are in a SOC 2 report only. So how is a SOC 1 different? A SOC 1 report has a little more flexibility in what is tested and opined on by the auditor. In addition to reviewing security, a SOC 1 audit includes more of a focus on the service organization’s controls that may be or are relevant to an audit of their client’s financial statements. The service organization (with the help of the auditor) will figure out the key control objectives for the services they provide to clients, and that is what is included in the report. Control objectives in a SOC 1 always include objectives around IT general controls, but also include business processes at the service organization that impact their clients.
Where to find Additional Information on the Trust Services Criteria
The Trust Services Criteria can be purchased in the AICPA store. Additionally, a mapping document, which shows how each of the 2017 criteria and points of focus relate to the COSO principles, and how they map to the 2016 Trust Services Principles and Criteria, can be downloaded from the AICPA.
Linford & Company has helped many new clients scope their needs for a SOC 2 audit, including identifying the boundaries of their system and determining the criteria needed in their examination. All clients are provided these services as part of the readiness assessment.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.