The AICPA recently issued an update to the Trust Services Principles and Criteria for Security, Availability, Processing Integrity, and Confidentiality. The revised criteria are effective for reporting periods ending on or after December 15, 2014. SOC 2 SM reports are based on the AICPA’s Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP section 100A).
In an effort to eliminate the redundancy and cross-referencing involved with the original Trust Services Principles and Criteria, the new criteria have been restructured to group all common criteria. The criteria used to be grouped together by the four different areas for each trust principle:
The new Trust Services Principles and Criteria group common criteria that apply to all principles into the following seven categories:
1. Organization and management
3. Risk management and design and implementation of controls
4. Monitoring of controls
5. Logical and physical access controls
6. System operations
7. Change management
In addition to these seven categories, service organizations must consider the additional criteria that are specific to availability, confidentiality, and processing integrity. Be aware that streamlining the common criteria does not mean that there are fewer controls that need to be in place, as those seven categories apply to all principles being reported on.
Some of the most significant areas of change and focus that services organizations should address:
- Greater focus on risk assessment.
- Code of conduct and background screening procedures are now required, whereas in the past it was an illustrative control for a specific criteria.
- Criteria surrounding disaster recovery and incident response-related controls are more specific.
- More focus on defined organization structure and reporting lines.
- More focus on performing root cause analysis over incidents that occur and their respective remediation efforts.
- Clearer communication of certain security criteria to internal and external users is now required.
- Streamlined criteria that provides enhanced presentation for SOC 2SM reporting.
- Documentation prepared to explain to internal and external users the limitations of the system as well as each user’s responsibilities.
What you need to do differently?
Although early adoption of the new Trust Services Principles and Criteria is permitted and most organizations that have undergone a SOC 2SM audit will likely have the controls in place to meet the new criteria, we suggest that your organization perform the following on behalf of clients:
- Assess current controls to ensure alignment with the newly issued criteria.
- Re-map existing controls to the new criteria to support coverage.
- Discuss any needed changes.
A service organization that currently or has previously provided a SOC 2SM or SOC 3SM report to stakeholders, should understand the impact of these changes on SOC reporting processes. If your client has not completed a SOC audit but provides outsourced services to customers, this is particularly important; especially for those being audited by their customers surrounding those processes, and are completing checklists to provide information on their internal control environment to their customers. This is also important if compliance initiatives such as HIPAA, GLBA, ISO 27001, and NIST 800-53 need to be achieved.
Angela Appleby, CPA, is an audit partner with EKS&H LLLP and leads the Risk Advisory Services group. Contact Angela at