New SOC 2 Changes Address IT Risks, Governance
As business risks become more complex, the American Institute of Certified Public Accountants (AICPA) has recognized a need to better address cybersecurity risks and increase transparency into internal controls and processes. As a result, they recently released changes to SOC 2 reporting requirements – including realignment of the Trust Services Criteria – that will go into effect for reports whose period ends after December 15th, 2018. SOC 2 reports are designed to report on non-financial controls, notably those relevant to the security, availability and processing integrity of systems used to process data.
SOC 2: What’s Changed?
The recent changes are significant, and require additional time and attention from organizations required or otherwise expected to meet the new requirements as well as for companies who issue SOC 2 reports. These changes include:
- Trust Services Principles and Criteria has been renamed Trust Services Criteria, and the five principles (security, availability, processing integrity, confidentiality and privacy) are now referred to as Trust Services Categories. The term “principles” was dropped to prevent confusion with the use of that term within the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework.
- The Trust Services Criteria have been rearranged and realigned with the 17 principles in the COSO 2013 framework to allow them to be used in entity-wide engagements. The COSO 2013 framework is widely used around the world and is recognized as a leading framework for internal controls.
- Additional supplemental criteria have been included to align with various cybersecurity risks, fraud risk assessments, and risks related to vendors and business partners. Specifically, organizations will need to address (1) logical and physical access controls, including how access is authorized and removed; (2) systems operations, specifically how systems detect and mitigate processing deviations; (3) change management, including how changes are controlled and unauthorized changes are prevented; and (4) risk mitigation, as it relates to mitigating business disruptions, including addressing the use of vendors and business partners.
- Separate Description Criteria requirements are included that specify requirements of the system description, along with implementation guidance.
What is the Impact?
The Trust Services Criteria updates issued by AICPA are the most significant changes since the inception of SOC 2. These changes better align SOC 2 reports with emerging business issues, including cybersecurity risk, however, they will require time and diligence on the part of organizations to ensure the new standards are met.
To ensure that internal controls are suitable and meet the new criteria, businesses should begin planning for the changes and conduct a gap assessment against their existing SOC 2 audit to identify areas of improvement required to meet the new standards.
For more information on SOC 2 changes and how you can prepare for the new requirements, please contact us.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.