Select Monthly Archives
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- August 2018
- July 2018
- May 2018
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- December 2013
- September 2012
Filed In: SOC 1/2
Written By: Matthew Cooper December 14, 2018
Starting this weekend, all SOC 2 reports with review periods ending after December 15th, 2018 must be conducted using the American Institute of Certified Public Accountants’ (AICPA) April 2017 release of the Trust Services Criteria. This blog post describes the major changes to the criteria and provides some advice for using it to prepare for your next SOC 2 audit.
Highlights of the Changes to the New SOC 2 Trust Services Criteria
The major change to the 2017 SOC criteria is the alignment with the COSO 2013 Integrated Framework. The COSO Integrated Framework is a framework for internal control; its primary function being to provide reasonable assurance as to the accuracy of external financial reporting. The Sarbanes-Oxley Act (SOX), Section 404, requires publicly-traded companies to select and implement an internal control framework, and the vast majority of U.S. publicly traded companies adopted the COSO Framework.
COSO defines internal control as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
Based on this definition of internal control, one can see the relevance for SOC 2 reporting. A SOC 2 audit and report demonstrates that an organization has sufficient management and board-level processes to provide reasonable assurance that it will achieve its information security objectives related to operations, reporting, and compliance.
The COSO Framework is comprised of five integrated components:
- Control Environment – These are the processes, standards, and structures that provide the basis for effective internal control. The control environment includes standards for conduct, integrity and ethical behavior, processes for board oversight, structures for management authority, responsibility and oversight, processes for attracting, developing and retaining competent staff, incentives, and processes for measuring performance.
- Risk Assessment – In COSO, risk assessment requires management to establish clear objectives for operations, compliance, and reporting, and then implement processes to continuously identify and assess risks to the achievement of those objectives. Effective risk assessment processes must also consider internal and external changes to the organization and business environment that may affect the functioning of internal control.
- Control Activities – These are the actions established through policies and procedures that ensure management’s risk mitigation directives are carried out to meet objectives. Control activities can be preventative or detective, manual or automated, and include controls such as reviews, approvals, reconciliations, and authorizations. Segregation of duties controls are typically included in the control activities.
- Information and Communication – This component considers the processes for identifying and capturing relevant, quality information from both internal and external sources. Once captured, relevant information must be communicated both internally and externally in support of control activities.
- Monitoring Activities – Ongoing and separate evaluations must be implemented to determine that the components of internal control are present and functioning. Ongoing evaluations built into various levels of the business process should provide timely information. Separate, periodic evaluations, with varying scope and frequency should also be conducted. Findings should be evaluated against relevant criteria and standards, and deficiencies communicated to management and the board as appropriate.
Because the COSO Integrated Framework was designed primarily for financial controls, the AICPA added four (4) additional, technology-focused criteria, to the 2017 SOC2 TSC under COSO Principle 12. The four additional criteria will be familiar to those who have undergone a SOC 2 audit under the previous 2016 Trust Services Principles and Criteria. The four criteria are as follows:
- Logical and Physical Access – These criteria relate to the way an entity restricts logical and physical access, provides and removes access, and prevents unauthorized access.
- System Operations – This relates to the management of system operations including detection and mitigation of processing and security deviations.
- Change Management – These criteria relate to the process for identifying and controlling changes to the environment and preventing unauthorized changes.
- Risk Mitigation – These criteria are relevant to how the entity identifies and implements risk mitigation activities related to potential business disruptions and relationships with third party vendors and partners.
Points of Focus
Whereas the old SOC 2 TSCP listed the criteria followed by illustrative risks and illustrative controls, the new version lists the criteria followed by “points of focus.” According to the AICPA, points of focus are supposed to represent important characteristics of the criteria. Their purpose is to assist management and auditors when both designing and implementing controls as well as evaluating their design, suitability and operating effectiveness. It is important to note that some points of focus may not be suitable or relevant for a particular entity. Alternatively, an entity may choose to develop additional points of focus for their environment.
Trust Services Categories
Lastly, the five SOC 2 Principles, Security, Availability, Confidentiality, Processing Integrity and Privacy, will now be referred to as the Trust Services Categories, this change was made to avoid confusion with the use of the term “principles” in the COSO Framework.
Practical Advice for Using the 2017 TSC
For users of the old SOC 2 TSPC, the new version will take some getting used to. There are more controls in it than in the 2016 TSPC, and some of the points of focus may seem a bit vague or irrelevant, that is partly because all of the original COSO points of focus were carried over into the SOC 2 principles and tied to the internal controls of information security.
The AIPCA has created mappings between the 2017 TSC and the 2016 TSCP, ISO 27001,l NIST CSF, and COBIT5.
I recommend that you utilize mappings to the previous 2016 TSCP or other standards with which you are familiar. In addition, work with your SOC 2 audit firm and ask them for a sample Document Request List (DRL) based on the 2017 TSC. Make sure that your auditors can provide you with a DRL prior to the audit, as this will be one of the most valuable resources for understanding how they will interpret the SOC 2 criteria as it applies to your organization and your selected audit categories.
Feel free to email me if you have any questions or to discuss your readiness for a SOC 2 audit.
At AppSec Consulting, we assist organizations in all industries prepare for, and successfully pass, SOC 2 audits. Let me know how we can help you.