Trust Services Criteria for SOC 2 Examinations May Require Changes

New 2017 Trust Services Criteria took effect for SOC 2 examinations on December 15, 2018, allowing for enhanced System and Organizational Control (SOC) 2 reporting by providing greater coverage over IT governance and operational management.

Notable changes introduced by the new criteria include the following:

  • Trust Services Criteria are now aligned with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework
  • Trust Services Principles are renamed Trust Services Criteria
  • Previous principles—security, availability, processing integrity, confidentiality, and privacy—have been renamed as Trust Services Categories
  • Points of focus have been added to all Trust Services Criteria 

About SOC 2 Audits

SOC 2 examinations measure the effectiveness of internal controls related to five trust services categories:

  • Security
  • Availability
  • Confidentiality
  • Processing integrity
  • Privacy

Most technology companies engage in SOC 2 audits regardless of their line of service because they act as, or work with, vendors to store, process, or maintain client data.

The number of SOC 2 examinations performed has increased sharply in recent years. This trend is expected to continue, largely due to increased security concerns that rise proportionally to the IT industry’s promotion of new products and services in the cloud.

Next Steps

As organizations transition to the new 2017 Trust Services Criteria, they must map their current SOC 2 controls to the new criteria and identify which new controls are needed to meet the new requirements. These could be controls an organization already has in place but hasn’t previously reported for SOC 2, or controls an organization needs to implement.

Map Controls

When mapping former SOC 2 controls to the 2017 Trust Services Criteria, organizations can use the newly issued points of focus as a guide for the types of controls needed to meet each criterion.

After mapping controls, organizations can identify gaps in coverage where controls don’t fully meet the 2017 Trust Services Criteria.

Common Gaps

While each organization is unique, there are some common potential gaps in coverage:

  • Independent oversight by a board of directors or similar governance group
  • Use of quality information and identification of controls based on the identification and assessment of risks
  • Consideration of fraud in assessing risks
  • Logical and physical protections over the destruction of assets
  • Detection and monitoring procedures associated with system and integrity checks
  • Risk mitigation for business disruption and recovery

We’re Here to Help

We’ve implemented an automated process to assist clients as they meet the new 2017 Trust Services Criteria. For more information about the process or how your organization can map its current controls and identify gaps, contact your Moss Adams professional.