AICPA Releases New SOC 2 Guide – What You Need to Know

April 16, 2018, Jeff Cook, Principal, SOC Practice, Coalfire, CPA, CITP, CIPT, CISA

In March 2018, the American Institute of Certified Public Accountants (AICPA) released its highly anticipated new System and Organization Controls 2 (SOC 2) guide, which includes information for the extant (2016) trust services principles and the new (2017) trust services criteria. The following is a summary of some key highlights in the new guide, what changed, and what to expect for future SOC 2 efforts.

SSAE 16 No More! Welcome SSAE 18

While the Statement of Standards for Attestation Engagements (SSAE) 18 was officially started in 2017, the 2018 SOC 2 guide now incorporates the new standard that supports all SOC 2 engagements. For SOC purposes, the highlights of SSAE 18 include a more robust risk assessment of the engagement from the auditor’s perspective and more support for the completeness and accuracy of evidence provided to the auditor.

A More Streamlined System Description and Incident Disclosure

In order to clarify the requirements for system descriptions, the AICPA implemented a new description criteria for SOC 2 reports in 2018. These nine criteria are now clearly defined and were developed for management and service auditors to have a clearer understanding whether system descriptions are meeting required standards.

One new item in particular, though, regards the disclosure of significant incidents for the system during the period. This disclosure is to inform the readers of any incidents that caused the company to fail to meet the objectives in scope. While it is yet to be seen how companies will disclose this information, a good rule of thumb may be to use any press release information on an incident as the basis for the disclosure (what, when, where, why, and how it was resolved). 

From Principles to Criteria

Previously known as the “Trust Service Principles,” the AICPA renamed the former TSPs to Trust Services Criteria. The reason for this is because with the new criteria, the AICPA wanted to facilitate the use of the criteria in an entity-wide engagement. From there, the AICPA restructured and aligned the criteria with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 framework for enterprise risk management, internal control, and fraud deterrence, which lends itself more toward internal controls at the entity as a whole or to a segment of an entity. Because the COSO framework uses “principles” to refer to elements of internal control that must be effective, the AICPA opted to change their description from TSPs to Trust Services Criteria to avoid confusion.

More Details on the COSO Framework Please

The COSO framework addresses, in more detail, certain organizational and management controls.  Additionally, to better address cybersecurity risks, the new criteria also expanded on various areas at a more detailed level than the previous versions. Those areas include: risk management, incident management, logical and physical access controls, system operations, and change management. 
Some examples of the additional detail include:

  • Discussion of board or management oversight of internal control development and independence in that oversight
  • The types (and quality) of information that supports internal control function
  • Specification of objectives and the risks associated with them
  • Assessment of changes that impact the system of internal control
  • Deeper dive into detection and monitoring of potential vulnerabilities
  • Vendor risk management
  • Mitigation for potential business disruptions

Points of Focus

Using the COSO framework as a basis, the AICPA added “points of focus” for each of the criteria to represent important characteristics to help users apply those criteria effectively. While the points of focus are intended to help management or auditors develop their controls or determine if controls are suitably designed, they are not required elements in order to satisfy criteria. Think of them more as “guidelines” or “examples” that can help develop or evaluate controls.

What to Expect for 2018 SOC 2 Examinations and Beyond

When does this start?
The new Trust Services Criteria and System Description Criteria are required to be used for any reports issued after December 15, 2018. So, for Type 1 reports, anything with an “as of” date of December 16, 2018 or later, and for Type 2 reports, anything with a period end date of December 16, 2018 or later.

What is my added Level of Effort (LOE)?
In regard to level of effort, you should expect to see some more testing related to the additional details as discussed above. However, in most cases, companies covered some of these additional details already through their previous reports, or potentially already have those controls in place, but were just not previously reported. Similarly, for the system description, many of the items now required were likely previously addressed in your system description. There is just a more structured way of presenting that information now. 

Conclusion

The 2018 AICPA SOC 2 Guide strives to improve on the reporting process for all stakeholders of a SOC 2 engagement through current, relevant, and consistent guidance from top industry professionals. With those goals in mind, I was pleased and honored to be a part of the Assurances Services Executive Committee (ASEC) SOC 2 Working Group, comprised of many highly talented individuals from a variety of backgrounds that helped contribute to the development of this guide.

Where to Get More Information

The 2018 SOC 2 Guide:  Link to AICPA site
The 2018 System Description Criteria:  Link to AICPA site
SSAE 18 Standard:  Link to AICPA site

Jeff Cook

Author

Jeff Cook — Principal, SOC Practice, Coalfire, CPA, CITP, CIPT, CISA

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS