In March 2018, the American Institute of Certified Public Accountants (AICPA) released its highly anticipated new System and Organization Controls 2 (SOC 2) guide, which includes information for the extant (2016) trust services principles and the new (2017) trust services criteria. The following is a summary of some key highlights in the new guide, what changed, and what to expect for future SOC 2 efforts.
SSAE 16 No More! Welcome SSAE 18
While the Statement of Standards for Attestation Engagements (SSAE) 18 was officially started in 2017, the 2018 SOC 2 guide now incorporates the new standard that supports all SOC 2 engagements. For SOC purposes, the highlights of SSAE 18 include a more robust risk assessment of the engagement from the auditor’s perspective and more support for the completeness and accuracy of evidence provided to the auditor.
A More Streamlined System Description and Incident Disclosure
In order to clarify the requirements for system descriptions, the AICPA implemented a new description criteria for SOC 2 reports in 2018. These nine criteria are now clearly defined and were developed for management and service auditors to have a clearer understanding whether system descriptions are meeting required standards.
One new item in particular, though, regards the disclosure of significant incidents for the system during the period. This disclosure is to inform the readers of any incidents that caused the company to fail to meet the objectives in scope. While it is yet to be seen how companies will disclose this information, a good rule of thumb may be to use any press release information on an incident as the basis for the disclosure (what, when, where, why, and how it was resolved).
From Principles to Criteria
Previously known as the “Trust Service Principles,” the AICPA renamed the former TSPs to Trust Services Criteria. The reason for this is because with the new criteria, the AICPA wanted to facilitate the use of the criteria in an entity-wide engagement. From there, the AICPA restructured and aligned the criteria with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework for enterprise risk management, internal control, and fraud deterrence, which lends itself more toward internal controls at the entity as a whole or to a segment of an entity. Because the COSO framework uses “principles” to refer to elements of internal control that must be effective, the AICPA opted to change their description from TSPs to Trust Services Criteria to avoid confusion.
More Details on the COSO Framework Please
The COSO framework addresses, in more detail, certain organizational and management controls. Additionally, to better address cybersecurity risks, the new criteria also expanded on various areas at a more detailed level than the previous versions. Those areas include: risk management, incident management, logical and physical access controls, system operations, and change management.
Some examples of the additional detail include:
- Discussion of board or management oversight of internal control development and independence in that oversight
- The types (and quality) of information that supports internal control function
- Specification of objectives and the risks associated with them
- Assessment of changes that impact the system of internal control
- Deeper dive into detection and monitoring of potential vulnerabilities
- Vendor risk management
- Mitigation for potential business disruptions
Points of Focus
Using the COSO framework as a basis, the AICPA added “points of focus” for each of the criteria to represent important characteristics to help users apply those criteria effectively. While the points of focus are intended to help management or auditors develop their controls or determine if controls are suitably designed, they are not required elements in order to satisfy criteria. Think of them more as “guidelines” or “examples” that can help develop or evaluate controls.
What to Expect for 2018 SOC 2 Examinations and Beyond
When does this start?
The new Trust Services Criteria and System Description Criteria are required to be used for any reports issued after December 15, 2018. So, for Type 1 reports, anything with an “as of” date of December 16, 2018 or later, and for Type 2 reports, anything with a period end date of December 16, 2018 or later.
What is my added Level of Effort (LOE)?
In regard to level of effort, you should expect to see some more testing related to the additional details as discussed above. However, in most cases, companies covered some of these additional details already through their previous reports, or potentially already have those controls in place, but were just not previously reported. Similarly, for the system description, many of the items now required were likely previously addressed in your system description. There is just a more structured way of presenting that information now.
The 2018 AICPA SOC 2 Guide strives to improve on the reporting process for all stakeholders of a SOC 2 engagement through current, relevant, and consistent guidance from top industry professionals. With those goals in mind, I was pleased and honored to be a part of the Assurances Services Executive Committee (ASEC) SOC 2 Working Group, comprised of many highly talented individuals from a variety of backgrounds that helped contribute to the development of this guide.
Where to Get More Information
The 2018 SOC 2 Guide: Link to AICPA site
The 2018 System Description Criteria: Link to AICPA site
SSAE 18 Standard: Link to AICPA site