Service Organizations that undergo a SOC 2 examination or are currently preparing to have one performed, should be aware of the recently updated requirements and how their pending SOC 2 examinations will be impacted. The specific changes pertain to the updated 2017 Trust Services Criteria (TSC) and the 2018 SOC 2 Description Criteria (DC). For more information on the specifics of these changes, refer to our recent SOC 2 update article.
When the SOC 2 as-of date for a Type 1 report or the period-end date for a Type 2 report is on or after December 16, 2018, the 2017 TSC and the 2018 DC must be used. If the as-of date or the period-end date is on or before December 15, 2018, then either version of the TSC (2016 or 2017) and DC (2015 or 2018) may be used. Keep in mind, that the 2018 DC were intended to be used with the 2017 TSC. Therefore, if a service organization uses the 2018 DC, then it must use the 2017 TSC.
With the effective date right around the corner, service organizations might be wondering how to best prepare. Below, we will walk through the steps service organizations should perform in order to prepare for these updates, based on different scenarios.
- Scenario 1 – A service organization issued a SOC 2 report under the 2016 TSC and 2015 DC and the SOC 2 examination period-end date is on or before 12/15/18:
- Perform next examination under 2016 TSC and 2015 DC.
- Perform a readiness assessment under the 2017 TSC and 2018 DC to identify new controls that will need to be implemented to meet the 2017 TSC and 2018 DC requirements for the following year’s SOC 2 examination
- Scenario 2 – A service organization issued a SOC 2 report, or completed a readiness assessment, under the 2016 TSC and 2015 DC and the SOC 2 examination period-end date is on or after 12/16/18:
- Map current controls to the 2017 TSC, identify control gaps and implement controls, as necessary.
- Determine if controls and system description meet the 2017 TSC and 2018 DC.
- If yes, leave report period-end date as is and perform examination under the 2017 TSC and 2018 DC.
- If no, determine if moving up the report period-end date to on or before 12/15/18 is an option.
- Base this decision off of customer requirements.
- If end date cannot be moved up, the service organization will have to perform the examination under the 2017 TSC and 2018 DC
- The service organization risks having pervasive exceptions, thus causing the SOC 2 report to be qualified.
- If end date can be moved up, the service organization should move the report period-end date up.
- In addition, the service organization should perform a readiness assessment under the 2017 TSC and 2018 DC to identify new controls that will need to be implemented to meet the 2017 TSC and 2018 DC requirements for the following year’s SOC 2 examination
- In addition, the service organization should perform a readiness assessment under the 2017 TSC and 2018 DC to identify new controls that will need to be implemented to meet the 2017 TSC and 2018 DC requirements for the following year’s SOC 2 examination
- Scenario 3 – A service organization is in the process of evaluating CPA firms to perform a SOC 2 examination;
- Evaluate CPA firms and ask if they have issued any reports under the 2017 TSC and 2018 DC.
- Engage a CPA firm to perform a readiness assessment using the 2017 TSC and 2018 DC.
Schneider Downs has converted several of its clients over to the new SOC 2 requirements. In addition, we have early-adopted the updated SOC 2 requirements and have issued SOC 2 reports for new clients using the updated SOC 2 requirements.
For more information on how to prepare for the impending SOC 2 changes, please visit our SOC FAQs page or feel free to contact a member of our SOC Reporting team.
