New SOC Report Framework Addresses Emerging Risks
In 2017, the American Institute of Certified Public Accountants (AICPA) announced major changes to its trust services criteria (TSC), which affects the controls that must be included in SOC 2, SOC 3, and SOC for cybersecurity reports.
To date, most of the SOC 2 and SOC 3 reports published by service organizations have continued to use the trust services principles (TSP) reporting framework that was released in 2016: TSP Section 100A.
That’s been an acceptable reporting framework, because the newest reporting criteria has been optional since it was released last year. But that’s changing in the near future.
The new criteria will be required for reports with end-periods that close on or after December 15, 2018. However, for reports with end-periods that stop on the November 30 reporting period, you can still use the old TSP framework.
If you aren’t already using the new report, the general reporting concepts are largely similar to the existing framework, but the structure itself and level of detail are more transparent. Here’s what the changes are all about.
- The AICPA integrated the trust services criteria with the widely-used and well-respected Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework
- The update clarifies confusion by updating the framework name. The Trust Services Principles and Criteria is now simply Trust Services Criteria
- The updates better address evolving cybersecurity risks
- The framework allows for greater flexibility in how the trust criteria are applied
The new trust service criteria
Generally, TSC control criteria are for use in attestation or consulting engagements to evaluate and report on controls over the security, availability, processing integrity, confidentiality, and privacy of information and systems.
The new criteria provide a more flexible framework. Now it can be applied (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; or (d) to a particular type of information used by the entity.
Alignment with COSO
The 2017 TSC update integrates with the 2013 COSO framework, which applies the internal control framework to the entire entity or a segment of an entity. Integrating this well-respected framework into the TSC makes sense because, like COSO, the TSCs are used to evaluate internal controls — specifically, controls over security, availability, processing integrity, confidentiality, and privacy.
The COSO framework uses 17 principles to refer to the elements of internal controls that must be present or functioning for the entity’s internal control to be considered effective. The 2016 update did not use the same terminology.
To avoid confusion, the AICPA renamed its framework “trust services criteria.” The same five principles (security, availability, processing and integrity, confidentiality, and privacy) are still used but now are denoted as “trust services categories.”
The 17 COSO principles
COSO’s 17 principles are incorporated into the TSC common criteria and categorized into the following classifications:
- Control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 series)
- Monitoring activities (CC4 series)
- Control activities (CC5 series)
As seen in previous versions of the TSP, there are common criteria for all five of the trust services categories to avoid some of the redundancies. The security category consists of the complete set of the common criteria, and then there are additional criteria specific to availability, processing integrity, confidentiality, and privacy.
Address cybersecurity risks
To better address cybersecurity risks, the AICPA further modified the 17 principles into four groupings:
- Logical and physical access controls — How an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access (CC6 series).
- System operations — How an entity manages the operation of the system(s) and detects and mitigates processing deviations, including logical and physical security deviations (CC7 series).
- Change management — How an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made (CC8 series).
- Risk mitigations — How an entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners (CC9 series).
A more flexible application
The COSO framework has had “points of focus,” characteristics important to that criterion, but the points are new to TSC and SOC reporting. Each criterion is presented with several points of focus to help the organization evaluate whether the controls are suitably designed and operating effectively. The 2017 TSC consist of 33 common criteria with almost 200 points of focus. For all five categories, there are 61 criteria with almost 300 points of focus.
Do not be worried about the numbers listed above, because service auditors or the practitioner (i.e., CPA firms) are already reviewing the majority of the points of focus.The points of focus are spelled out in this way to distinguish it from prior TSP updates.
Applying the TSC in actual situations requires the organization to use judgment when applying the criterion, based on understanding the facts and circumstances of the organization and its environment in the actual situation. In addition, not all points of focus are suitable or relevant to the entity or engagement. The guidance at TSP 100.04 also mentions that an assessment of whether all points of focus were addressed is not required.
Points of focus example
Points of focus can be illustrated with an example of logical and physical access control (CC6.2). That criteria says:
“Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.”
The Trust Services Criteria then list the following points of focus:
- Controls access credentials to protected assets — Information asset access credentials are created based on an authorization from the system’s asset owner or authorized custodian.
- Remove access to protect assets when appropriate — Processes are in place to remove credential access when an individual no longer requires such access.
- Review appropriateness of access credentials — The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.
Where to find the new trust services criteria
The AICPA website has a complimentary criteria mapping document, which shows how each of the new criteria and points of focus relates to the 2016 trust services principles and criteria. Each organization’s situation is unique, and mapping it out will provide a general idea of the relationship between the 2016 TSP and the 2017 TSC. The 2017 trust services criteria itself can be purchased (downloadable or hard copy) from the AICPA store.
Your next steps
If you have already issued a SOC 2 or SOC 3 report or are planning for a future SOC 2, SOC 3, or SOC for cybersecurity report, you’ll need to gain an understanding of the new trust service criteria to evaluate the organization’s current control posture, identify potential gaps and incremental required controls, establish a timeline for completion, and secure organizational resource commitments for the next examination under the TSC criteria.
How we can help
Escalating and evolving risk is changing the way reporting is conducted. We can help you prepare for the new SOC reporting requirements to determine if internal security measures meet the revised AICPA trust services criteria framework, whether it is applied to a SOC 2 or SOC 3 report, or a SOC for cybersecurity examination.