Are You Ready for the New Trust Services Criteria?

If your company reports under AICPA SOC (System and Organization Controls) 2, you should already be preparing for the new guidance and updated Trust Services Criteria (TSC) that take effect for periods ending after December 15, 2018. SOC  2 reports are intended to provide assurance to users of outsourced services that are not financial in nature. (Financial controls are audited and reported under the SOC 1 standard.)

The new guidance includes several key changes, exhibiting an overarching theme of better integrating cybersecurity risks and considerations. 

The changes include:

  1. Name change from the 2016 Trust Services Principles and Criteria (TSPC) to the 2017 Trust Services Criteria (TSC)
  2. Alignment of the 2017 TSCs with the COSO 2013 framework
  3. Supplemental sub-classifications, in addition to the 17 principles (known as ‘criteria’ for SOC 2 purposes) from COSO 2013, that include logical and physical access, system operations, change management and risk mitigation
  4. Replacement of “Illustrative Controls” with “Points of Focus,” which provide guidance for the criteria on internal control
  5. Description Criteria updated requirements have also been introduced, requiring more explicit disclosure of service commitments and system requirements
  6. Reporting updates including description of the System (Section III) is based on the criteria in section DC section 200 and effectiveness of the service commitments and system requirements against the TSCs

To understand how the new criteria relate to the old ones, see the AICPA’s published mapping of the 2016 TSPCs to the new 2017 TSCs.

Tips and tricks for transitioning to the new 2017 TSCs:

If you have existing internal controls in place, this is a good time to look holistically at your existing control set and perform a control rationalization exercise for the new criteria.  Update controls as needed to map them more appropriately to the new criteria and identify any gaps where existing controls aren’t enough. 

Although there are direct mappings from the 2016 TSPCs to the 2017 TSCs, additional considerations may require fine-tuning existing controls. A great place to begin is by using the mapping done for the 2016 TSPCs and integrating those into the 2017 TSCs.  New controls will most likely need to be considered, but if the original mapping against the 2016 TSPCs was done well, the number of new controls should be reasonable.

If you are new to SOC 2 reporting, then the great news is that you are starting with a blank slate!  There’s no need to review prior mappings and appropriateness of controls — instead, you have the freedom to design a control set with a fresh perspective using COSO 2013 as a guide. Start by getting familiar with the AICPA guidance for SOC 2 examinations, then make sure you understand the 2017 TSC requirements, the service being provided and the anticipated controls. We always recommend beginning any new SOC 2 with a gap/readiness assessment to ensure proper controls are aligned to the criteria and that they are indeed in place and functioning appropriately.

If you need help navigating SOC requirements — either to update to the new TSCs or to perform your first assessment — Weaver can help. Contact Weaver today to get started.