SOC update: What recent changes mean for your internal control reporting
INSIGHT ARTICLE |
As security concerns rise, service organization control (SOC) reports are in much higher demand for proof of internal control strength. Whether you provide SOC reports to clients, or review reports from vendors, recent updates affect how control environments are communicated. Learn what these changes can mean for your organization and how to adjust your SOC strategy.
SOC 2 report demand
The market demand for SOC 2 reports is increasing at a rapid pace. We have witnessed more and more demand for controls reporting; especially the SOC 2 report. This interest is a result of various security breaches in the headlines, and as vendor compliance programs are enhanced from these concerns to require SOC reports versus the standard control questionnaires.
If your organization is providing, or plans to provide, services to other large businesses, expect to receive requests for a controls report. Therefore, we recommend reviewing your organization’s business strategy to determine if a SOC report is an appropriate investment for your future client base or an initiative to differentiate your organization from your competition. In addition, if you currently have a SOC 1, you may receive requests to provide a SOC 2 as well, to demonstrate controls to protect your client’s data.
SOC 3 seal program
The AICPA and CPA Canada are no longer supporting the SOC 3 seal program. Any engagements that are currently in progress, including renewals for existing SOC 3 seals, will continue through Dec. 31, 2014. The market demand was limited for the seal program, and with the SOC logo program in place, the organizations decided to discontinue the seal program. The cessation of the seal program does not impact the performance of SOC 3 engagements, nor the issuance of SOC 3 reports by practitioners.
Updates to the AICPA Trust Services Principles and Criteria
The AICPA has issued the updated Trust Services Principles and Criteria that will change the current structure of the various criteria. Thus, if you currently perform a SOC 2 or 3 report, you should invest some effort to begin to map your existing controls to the suggested criteria to ensure your organization has the appropriate controls designed to achieve the criteria. If you do not currently have a SOC 2 or 3 report, but you’re starting to prepare for a future report (periods ending on or after Dec. 15, 2014), we recommend utilizing the new criteria.
If you review SOC 2 or 3 reports as part of your organization’s vendor compliance program, you can identify which criteria are being utilized by the reference of TSP 100 (new standard) or TSP 100A (prior criteria).