As the use of cloud, data processing, data storage, and “everything as a service” organizations have proliferated, so too has the need for entities to address the risks associated with using service organizations. Organizations providing these services need to demonstrate their principal service commitments and system requirements based on the trust services category of security and, if needed, availability, confidentiality, integrity, and/or privacy trust services categories. They often do this by issuing a System and Organization Controls (SOC) for Service Organizations: Trust Services Criteria, or SOC 2®, report. A SOC 2 report provides users with a description of the system, including the type of services provided, the entity’s principal service commitments and system requirements, and components of the system, such as infrastructure, procedures, and data used in providing the services. The report also provides assurances about whether the controls have been designed and operated effectively, if included, to achieve the entity’s service commitments and system requirements based on the applicable trust services criteria. Or, service organizations might provide a SOC 3® report instead, which describes the boundaries of the system and the entity’s principal service commitments and system requirements, and assurances about the effectiveness of controls at the entity to achieve the service commitments and system requirements base on the applicable trust services criteria.
The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) released its latest version of the trust services criteria applicable to service organizations in 2017, which will take effect later this year. The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, codified in TSP Section 100, are the latest iteration of a series of revisions over the past several years and will supersede the previous version, which was codified in TSP Section 100A. Service organizations that issue SOC 2 and/or SOC 3 reports with reporting periods ending after December 15, 2018 need to be prepared for examinations of their controls under the new criteria. Service organizations may also choose to adopt TSP Section 100 for reporting periods ending on or before December 15, 2018.
Why the change?
ASEC identified a need to revise the trust services criteria for use when reporting at an entity level or at a segment level, so that the criteria aligns more closely with the 17 principles of the Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control–Integrated Framework (COSO framework).
The revisions also place greater emphasis on cybersecurity risks for service organizations performing examinations under the trust services criteria. The previous criteria allowed for significant flexibility in applying the criteria to related cybersecurity risks, which caused wide variances in coverage of cybersecurity in attestation examinations and reporting. As a result, ASEC added supplemental criteria that address logical and physical access controls, system operations, and change management. In addition, the 2017 criteria address risk management and incident management in greater detail than the previous criteria. These changes are intended to address these issues and create more consistency among organizations utilizing the trust services criteria.
Key changes in the new criteria
In addition to alignment with the COSO framework, key changes to be aware of in the 2017 criteria include the following:
The COSO framework refers to “principles” that must be in place and working for an organization’s internal control environment to be considered effective. To avoid confusion between the term “principle” as used in the COSO framework and in the trust services principles and criteria, the latter have been renamed “trust services criteria,” dropping the word “principles” altogether, although the acronym TSP is still used. Also, the five trust services principles referred to in TSP 100A—security, availability, processing integrity, confidentiality, and privacy—have been renamed the trust services “categories” in TSP Section 100.
The 2017 criteria feature new supplemental criteria, which are cited below, to address areas of importance to information security and risk mitigation:
Points of focus:
- Logical and physical access controls criteria: How an entity restricts logical and physical access, provides and removes such access, and averts unauthorized access
- System operations criteria: How an entity manages their systems’ operations and detects and mitigates processing deviations, including deviations in logical and physical security
- Change management criteria: How an entity identifies the need for changes, implements the changes using a controlled change management process, and precludes unauthorized changes from being made
- Risk mitigation criteria: How an entity identifies, selects, and develops risk-mitigation activities resulting from potential business disruptions and the use of vendors and business partners.
The revised criteria also provide “points of focus” that relate to the points of focus included in the COSO framework. The points of focus in TSP Section 100 replace the “illustrative controls” from TSP Section 100A and are intended to provide guidance about important characteristics of the criteria for management to consider when designing, implementing, and operating controls. The points of focus may also assist management and the service auditor in evaluating the suitability of the design and operating effectiveness of controls to meet the relevant trust services criteria.
While neither service organizations nor service auditors are required to assess whether specific points of focus have been addressed, the points can be useful in evaluating whether the controls are suitably designed and operating effectively to meet the organization’s commitments and system requirements based on the trust services criteria. Although some points of focus relate to all service organizations, not every point of focus will apply to every entity, so each service organization must carefully consider these points of focus within the context of their own organization. In addition, when appropriate, points of focus can be customized or other characteristics may be used to evaluate specific criteria.
Along with the revisions to the trust services criteria, the AICPA has also issued revised guidance for management’s description of their system and control environment, which is codified in DC Section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report. This guidance is designed to be used in conjunction with the 2017 trust services criteria codified in TSP Section 100. One of the major changes with the updates to the description criteria in DC Section 200 is the requirement to disclose system incidents that were the result of controls that were not suitably designed or operating effectively or that caused a significant failure in achieving one or more of the entity’s service commitments or system requirements. Service organizations need to have appropriate monitoring controls and tracking mechanisms in place to identify and maintain a complete and accurate list of incidents that impact their service commitments or system requirements as of the description date or during the description period.
Steps to take now
The 2017 trust criteria do not outline specific steps that a service organization must take to meet the criteria or prepare for an auditor’s examination. Each service organization and its service auditor need to ascertain whether the organization is prepared for an examination of system and organization controls based on the 2017 trust services criteria.
Grant Thornton recommends that affected service organizations take the following steps to prepare for adoption and the next examination under the 2017 trust services criteria:
- Review and understand TSP Section 100 and DC Section 200 and how this guidance applies to your organization. It is important to understand the effect of changes in the criteria that will be used to evaluate internal controls and what actions you should consider as a result of these changes. Also, consider the points of focus and how they relate to your organization.
- Identify service commitments and system requirements to understand your obligations to your customers as they relate to the five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
- Perform a risk assessment to identify the “what could go wrong” scenarios that would prevent you from meeting your service commitments and/or system requirements. Map existing internal controls to the risks identified during the risk assessment process and identify any risk that is not adequately addressed by a control.
- Map existing controls to the new criteria and ascertain whether your controls address the relevant points of focus. The AICPA has published a document titled Mapping of 2017 TSC to 2016 TSC on its website that maps the 2016 trust services principles to the 2017 trust services criteria to aid organizations with their mapping.
- As necessary, implement additional controls if there are any risks identified during the risk assessment that have not been sufficiently addressed by existing controls. When December 16 or your new reporting period arrives, any additional controls needed to address the risks associated with applying the new 2017 trust services criteria need to be implemented. For example, service organizations that have a description covering the period from November 1, 2018 through October 31, 2019 need to make sure their controls relevant to the 2017 trust services criteria are implemented by November 1, 2018.
- Act now to avoid unpleasant surprises and the costs of rushed, last-minute responses to the new criteria. It is natural to postpone action in light of other pressing priorities, but it is not a practical option for affected service organizations. Control design gaps may require allocating additional time and resources in the future to make sure that there is sufficient coverage to meet the updated trust services criteria, and it is more cost-effective to identify any challenges that need to be addressed well before the next examination under the 2017 trust services criteria.
For additional questions or assistance with these preparations, please contact your Grant Thornton attestation professional as soon as possible.
Partner, National Leader
Special Attestation Services
+1 215 376 6030