New Trust Services Criteria Are Set to Transform SOC 2 Reporting
August 30, 2018
The ability to demonstrate readiness for the next cyber event is a significant competitive advantage for any company that collects or processes highly sensitive data. A SOC 2 report backed by the new and improved Trust Services Criteria now provides service organizations with a much stronger basis to demonstrate the strength of their information security controls.
More Granularity, Less Subjectivity
Part of the AICPA System and Organization Controls (SOC) reporting suite, SOC 2 provides information that users of a service organization need to understand system controls relevant to security, availability, processing integrity, confidentiality and privacy—now collectively known as the Trust Services Criteria (TSC). These new criteria are required for SOC 2 reports for periods ending after Dec. 15, 2018.
By comparison, the new TSC are far more granular and explicit. The new criteria mirror the widely accepted enterprise risk management principles of COSO Internal Control—Integrated Framework (2013). This framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to provide executives with guidance on how to design and implement effective internal controls to achieve their operational, reporting and compliance objectives.
The TSC are organized according to the framework’s five components:
- Control environment,
- Communication and information,
- Risk assessment,
- Monitoring activities, and
- Control activities.
Aligning these criteria to internationally recognized ERM principles certainly creates a higher bar for service organizations. The 17 COSO principles include many that have come to be considered foundational to public company financial controls. More importantly, at their core these criteria represent a more stable platform from which to develop and assess the effectiveness of an information security risk management program.
The foundation of COSO is governance, which is often the weakest dimension of security risk management programs. The new criteria require service organizations to demonstrate evidence of a strong control environment in areas such as:
- Is the board of directors and senior management setting the appropriate tone and standards of conduct?
- Has management established, with board oversight, the structures and reporting lines needed to achieve objectives?
- When defining these authorities and responsibilities, are they considering the specific requirements relevant to the domain of the report (security, availability, processing integrity, confidentiality and/or privacy)?
With the stronger foundation of these new criteria and guidance from practitioners who can provide context about how to leverage them to strengthen the business, a SOC 2 report can significantly improve operational risk management, providing peace-of-mind to internal stakeholders, as well as dramatically increase the degree of assurance conveyed to external parties.
Points of Focus Provide Context
The new Trust Services Criteria represent a significant step forward in helping service organizations tailor information security controls to their unique business environments.
“Points of focus” help users understand important characteristics of each criterion and how to interpret the COSO principle in different business contexts. They also enable practitioners performing the SOC 2 examination to provide clearer feedback on what aspects of systems and processes must be improved to effectively manage information security risk. For example, several dozen points of focus clarify the characteristics of a system that would provide appropriate logical and physical security over information assets.
Because these points of focus remove some room for interpretation, the new criteria may highlight gaps in controls that may have been deemed acceptable in previous periods. In short, service organizations may be subject to additional tests and new documentation on internal controls during the upcoming SOC 2 engagement.
Service organizations preparing for an upcoming SOC 2 examination have no time to lose in understanding these new criteria, migrating from the older Trust Services Principles and Criteria, and putting in place controls that meet the higher bar of the new Trust Services Criteria.
Please contact Aprio for more information, including steps to ensure your organization is ready for your next SOC 2 report and how you can leverage the Trust Services Criteria to strengthen your cyber operational risk management.