Earlier this year, the AICPA released an updated guide to the SOC 2 reporting standards. The new requirements and criteria are applicable for reports with periods ending as of, or after, Dec. 16, 2018. The most significant changes include:
- The Trust Service Principles will be renamed and referred to as the Trust Services Criteria.
- The Trust Services Criteria were revised and are now more in line with the 17 principles of the COSO framework. The AICPA has also included specific points of focus that an organization needs to take into consideration, and information that will help an organization identify and apply the criteria.
- Increased focus on how an organization manages their cybersecurity risk.
All service providers should consider these questions:
Is my report going to be affected by this change?
If you’re a service provider that currently receives and/or is looking to have a SOC 2 examination performed, you will be affected.
When will this affect my organization?
If your report period ends as of, or after, Dec. 16, 2018, the report must follow the new SOC 2 standards. Organizations should ensure that their current control structure meets the new requirements prior to the deadline. Keep in mind that controls need to be operating throughout the entire testing period.
How will this change affect my organization?
There will be significant changes in controls and how they will be evaluated in terms of governance, monitoring, and risk management. Due to the revisions as they relate to the 2013 COSO framework, a higher significance is placed on entity-level controls and cybersecurity risk. While COSO originally assessed internal controls over financial reporting, incorporating COSO with the SOC controls helps to evaluate the entity as a whole.
There are specific controls that need to be applied across the entire entity and then communicated down to the specific system that is being evaluated with the examination. Your board of directors, audit committee, and/or executive management must provide oversight related to identifying and assessing areas of risk and internal controls. This risk-based approach will also identify the necessary frequency and level of control monitoring that you’ll need to implement.
How should I prepare for these changes?
Service providers must ensure that they have the appropriate controls in place to meet the new SOC 2 requirements, prior to the deadline. Our cybersecurity experts can help identify and evaluate your risk and controls, as well as provide recommendations to address gaps.