How to Prepare for Changes to SOC 2 Reporting

The American Institute of Certified Public Accountants (AICPA) released the 2017 Trust Services Criteria, which allow for enhanced SOC 2 reporting by providing greater coverage over IT governance and operational management. The new Trust Services Criteria must be adopted for SOC 2 examinations for reports with periods ending after December 15, 2018.

Key Changes

The AICPA’s updates will have a significant impact on SOC 2 reports. Here are the most important changes:

  • Trust Services Criteria are now aligned with the COSO 2013 framework
  • Trust Services Principles are renamed Trust Services Criteria
  • Previous principles—Security, Availability, Processing Integrity, Confidentiality, and Privacy—are renamed as Trust Services Categories
  • Points of focus have been added to all Trust Services Criteria

Transition Steps for Organizations

To transition to the 2017 Trust Services Criteria, organizations must map their current SOC 2 controls to the new criteria, identify gaps, and determine what additional controls they might need to add.

Map Controls

In mapping current SOC 2 controls to the 2017 Trust Services Criteria, organizations can use the new points of focus issued as a guide for the types of controls needed to meet each criteria.

Identify Gaps

After mapping, organizations can identify gaps in control coverage where remapped controls don’t fully meet the 2017 Trust Services Criteria.

Common Gaps

While each organization will have its own control gaps to address, some common gaps in coverage include the following:

  • Independent oversight by a board of directors or similar governance group
  • Use of quality information and identification of controls based on the identification and assessment of risks
  • Consideration of fraud in assessing risks
  • Logical and physical protections over the destruction of assets
  • Detection and monitoring procedures associated with system and integrity checks
  • Risk mitigation for business disruption and recovery

Determine Controls Needed

Organizations must assess what controls are needed for remediating the gaps they’ve identified. These controls could be ones that an organization already has in place but hasn’t previously reported for SOC 2, or they might be controls that an organization needs to implement.

Timeline

The sooner an organization can anticipate potential gaps under the 2017 Trust Service Criteria, the greater potential lead they’ll have to institute new control practices and avoid introducing exceptions into future SOC 2 reports.

We’re Here to Help

If you’d like to help in simplifying the transition of your SOC 2 report to the 2017 Trust Services Criteria, contact your Moss Adams professional.