In April 2017, the American Institute of Certified Public Accountants (AICPA) updated the Trust Services Criteria (TSC), impacting the controls required to be included with a SOC 2 report. The new criteria, while available for use now, will be required for reports with periods ending after December 15, 2018. Early adoption is encouraged as the current 2016 Trust Services Principles (TSP) will be superseded by the new TSC after the December 15 date.
What are the Significant Changes?
The updated SOC 2 framework outlined in the new TSC includes: What are the Significant Changes?
- Renaming of the current SOC acronym from “Service Organization Controls” to “System and Organization Controls”
- Renaming of the Trust Services Principles (TSP) to Trust Services Criteria (TSC)
- Alignment of the new TSC with the 17 principles in the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework
- Adding of new criteria and points of focus to consider
What Will Organizations Need to Do to Make the Transition?
If your organization already has a SOC 2 report under the 2016 Trust Services Principles, then you will need to first map those controls to the new 2017 Trust Services Criteria.
Secondly, after mapping controls, you will need to identify gaps in your organization’s set of controls; common gaps in coverage under the new criteria include:
- Independent oversight by the Board
- Consideration of fraud as part of the Risk Assessment
- Protection over the destruction of assets that contain sensitive information
- Risk mitigation for business disruption and recovery
Thirdly, after identifying gaps in control coverage, you will need to determine how to remediate the gaps; these controls could be ones already in operation but not previously reported on the old SOC 2, or they could be new controls that need to be implemented.
The sooner your organization can identify any potential gaps for the new 2017 Trust Services Criteria, and implement new control practices if needed, the greater likelihood you can avoid any control exceptions on future SOC 2 reports.
Let Us Help!
Our SOC 2 Report experts are here to help guide you through the process of transitioning to the new Trust Services Criteria. Likewise, if your organization has never had a SOC 2 report, we are highly skilled and trusted in taking clients through the entire process from start to finish.