New SOC 2 Changes Address IT Risks, Governance

As business risks become more complex, the American Institute of Certified Public Accountants (AICPA) has recognized a need to better address cybersecurity risks and increase transparency into internal controls and processes. As a result, they recently released changes to SOC 2 reporting requirements – including realignment of the Trust Services Criteria – that will go into effect for reports whose period ends after December 15th, 2018. SOC 2 reports are designed to report on non-financial controls, notably those relevant to the security, availability and processing integrity of systems used to process data.

SOC 2: What’s Changed?

The recent changes are significant, and require additional time and attention from organizations required or otherwise expected to meet the new requirements as well as for companies who issue SOC 2 reports. These changes include:

  • Trust Services Principles and Criteria has been renamed Trust Services Criteria, and the five principles (security, availability, processing integrity, confidentiality and privacy) are now referred to as Trust Services Categories. The term “principles” was dropped to prevent confusion with the use of that term within the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework.
  • The Trust Services Criteria have been rearranged and realigned with the 17 principles in the COSO 2013 framework to allow them to be used in entity-wide engagements. The COSO 2013 framework is widely used around the world and is recognized as a leading framework for internal controls.
  • Additional supplemental criteria have been included to align with various cybersecurity risks, fraud risk assessments, and risks related to vendors and business partners. Specifically, organizations will need to address (1) logical and physical access controls, including how access is authorized and removed; (2) systems operations, specifically how systems detect and mitigate processing deviations; (3) change management, including how changes are controlled and unauthorized changes are prevented; and (4) risk mitigation, as it relates to mitigating business disruptions, including addressing the use of vendors and business partners.
  • Separate Description Criteria requirements are included that specify requirements of the system description, along with implementation guidance.

What is the Impact?

The Trust Services Criteria updates issued by AICPA are the most significant changes since the inception of SOC 2. These changes better align SOC 2 reports with emerging business issues, including cybersecurity risk, however, they will require time and diligence on the part of organizations to ensure the new standards are met.

To ensure that internal controls are suitable and meet the new criteria, businesses should begin planning for the changes and conduct a gap assessment against their existing SOC 2 audit to identify areas of improvement required to meet the new standards.

For more information on SOC 2 changes and how you can prepare for the new requirements, please contact us.

Contact Us

Joseph Landry

Joseph Landry

CISA, CISM, CRISC
Partner

Connect with Joe

Related posts
Big data futuristic visualization abstract illustration

How to Effectively Communicate Cybersecurity Risk to Leadership

Your organization’s leadership (and if applicable, Board of Directors) have a responsibility to protect the…

Read More
binary code with lock sitting on top

10 IT Governance Steps for CCPA Compliance

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. However, there…

Read More