Changes to the Trust Services Principles that Impact SOC 2

The American Institute of Certified Public Accountants recently issued an update to the Trust Services Principles. The changes apply to the Trust Services Principles and Criteria for security, confidentiality, processing integrity, and availability. The new criteria are effective for reporting periods ending on or after December 15, 2014, with early adoption permitted. The Privacy principle and criteria are currently under revision but, as of now, have not been updated.

Service organizations should begin assessing current controls to ensure alignment with the newly issued criteria and discuss any needed changes with their SOC auditor.

One of the very positive changes is restructuring the criteria to group all common criteria of the applicable trust principles (security, availability, processing integrity, and confidentiality).  This should eliminate some of the redundancy and circular referencing sometimes found in SOC 2 reports.

Additionally, criteria will no longer be grouped together by four different factors for each trust principle (policies, communications, procedures, and monitoring). The trust services principles and criteria will be restructured and grouped together by criteria applicable to all four principles by the following seven categories:

  • Organization and management
  • Communications
  • Risk management and design and implementation of controls
  • Monitoring of controls
  • Logical and physical access controls
  • System operations
  • Change management

Criteria applicable only to a single principle will remain structured to that principle. Naturally, report layout and structures will be modified to reflect these changes.

The following are some of the more significant takeaways from the changes:

  • Previously established controls in place by management that meet SOC 2 criteria may need to be re-assessed by management to better align to the new criteria.  In some cases, new controls may need to be implemented.
  • Greater focus on risk assessment. Therefore, service organizations should ensure that organizational risk assessments are performed periodically, address the risk of a lack of proper controls in place to meet the criteria, consider risk of internal and external threats, and ensure the risk assessment is well documented, discussed, and reviewed by management.
  • Stronger emphasis on the stand-alone criteria of processing integrity. Service organizations should consider and assess, among other elements, the sufficiency of data storage, monitoring of environmental vulnerabilities, ensuring that inputs are complete and accurate, and system output is complete and accurate.
  • Some new criteria make the requirements to communicate certain security matters with internal and external users clearer. Some service providers may need to augment their controls to clearly communicate these matters to external users.
  • The criteria related to monitoring of controls, CC4.1, puts a greater responsibility on service providers to “self-assess” the design and operating effectiveness of controls outside of the audit process.  Organizations may need to more formally perform and document this assessment than they have in the past.
  • The criteria surrounding disaster recovery and incident response related controls are more specific and may require service organizations to have more formal programs.
  • Certain aspects of the change control criteria will likely require service organizations to have a more robust control to make sure all changes that are needed to be made have been made to the system.

For additional information about the benefits of the SOC 2 and the changes to the Trust Services Principles and Criteria, or to learn how Baker Tilly’s specialists can help, contact our team.