SOC 2 Trust Services Criteria Revamped to Align with the COSO 2013 Framework

The AICPA’s Assurance Services Executive Committee (ASEC) recently released an exposure draft, proposing revisions of the Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The changes will take effect for SOC 2 reports that are published after June 15, 2018.  Even though the changes won’t take effect until 2018, service organizations should start planning for the changes now to ensure that their internal controls are appropriate to meet the new Trust Services Criteria.  The following summarizes the most significant changes that will take place as a result of the changes:

  • Renames the Trust Services Principles and Criteria.  The COSO 2013 framework uses the term principles to refer to the elements of internal control.  To avoid confusion, the Trust Services Principles and Criteria will remove the term Principles and will be renamed as the Trust Services Criteria.  In addition, the five principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy) will now be referred to as the Trust Services Categories.  
         
  • Restructures and aligns the TSC with the COSO 2013 framework.  This is a significant change that will most likely require service organizations to restructure their controls.  Service organizations will have to ensure that their controls meet the 17 principles in the COSO 2013 framework and the additional supplemental criteria noted below.
     
  • Restructures and adds supplemental criteria to better address cybersecurity risks in engagements using the TSC.  In addition to the 17 principles in the COSO 2013 framework, new supplemental criteria were developed and organized into the following categories:
    • Logical and physical access controls. The TSC relevant to how an entity restricts logical and physical access, provide and removes that access, and prevents unauthorized access.
    • System operations. The TSC relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
    • Change management. The TSC relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
    • Risk mitigation. The TSC relevant to how an entity identifies, selects, and develops risk mitigation activities and how the entity assesses and manages risks associated with vendors and business partners.
       
  • Adds points of focus to all TSC.  The points of focus may assist management and the practitioner in evaluating whether the controls are suitably designed and operating effectively; however, use of the TSC does not require management or the practitioner to separately assess whether points of focus are addressed.

Please contact us with questions on how to prepare for the impending SOC 2 Trust Criteria changes and visit our SOC Report FAQS to learn more about SOC Reports.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
AICPA Provides Guidance for COVID-19 Considerations in a SOC Examination
The Value of Business Process Analysis in your Succession Plan
Audit, SOC, Technology BY Troy Fine
Amazon Web Services (AWS) Best Practices For a Successful SOC 2 Examination
Audit, SOC, Technology BY Sara Hudak
SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102