SOC reporting: Understanding key changes ahead
INSIGHT ARTICLE |
During 2017, the American Institute of Certified Public Accounts (AICPA) issued a number of material changes to System and Organization Controls (SOC) reporting. The majority of the changes issued in 2017 are focused on enhancing SOC 2 and 3 reports, as demand continues to grow for these reports. The new guidance issued by the AICPA must be implemented for SOC reports dated after Dec. 15, 2018, but organizations may early adopt the new standards.
The following is a summary of changes that will require updates to SOC reports:
TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (SOC 2 and 3)
To allow the Trust Services Criteria to be also used in entity wide engagements, the criteria have been aligned with the 17 principles in the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework. The prior TSP 100 referred to principles and criteria; whereas, the new TSP was updated to be referred to as trust services criteria.
The Trust Services Criteria also included additional criteria to align with various cybersecurity risks. In addition, a change in terminology from principles to categories was introduced that can be selected beyond the 17 COSO principles. Those categories include the criteria common to all five of the trust service categories: security (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories.
The AICPA updates rearrange many of the existing concepts and criteria. However, certain areas also have an increased focus including cybersecurity risks, fraud risk assessments and managing risks related to vendors and business partners, while many confidentiality aspects were pulled into the common criteria.
Description Criteria (SOC 2)
As of summer 2017, the Description Criteria have not been finalized and are awaiting public comment on the July 24, 2017 exposure draft. Currently, the Description Criteria for SOC reports are included within the AICPA SOC 2 audit guide. With the exposure draft, the Description Criteria will be published within a separate document, much like the TSP 100.
Based on the current suggested changes, the Description Criteria will have a number of key additional disclosures required within the SOC report. A summary of the material changes are below.
Service commitments and system requirements
The service organization is designing controls to achieve its objectives commensurate to its commitments and related to the services the system provides and the system requirements necessary to achieve them. Thus, to allow report users, who are not necessarily current clients of the service organization, to fully understand the controls, the description will require disclosure of the specific service commitments and system requirements that are communicated to current users of the system.
The AICPA defines system incidents as a system event that requires action on the part of service organization management to achieve the service organization’s service commitments and system requirements. For system incidents identified during the 12-month period preceding the “as of date” or the “period end date” that resulted in a significant impairment of the service organization’s achievement of its service commitments and system requirements, the description may need to include disclosures related to those incidents.
Other factors to consider for disclosure within the SOC report include; whether laws or regulation require public disclosure of the incident, if the incident has a material effect on the service organization’s financial position or required disclosure in a financial statement filing, and whether the incident resulted in sanctions by any legal or regulatory agency.
Service organizations should discuss these future SOC changes with a trusted advisor to fully understand the new requirements and develop a strategic road map to meet the new standards. A few of the key items that need to be considered and performed when developing the plan are:
- Review the timeline in which your report is typically issued, and determine if this will affect your 2018 report. Consideration could be given to moving to an earlier report period.
- Determine how ready your organization is today, and how long will it take you to remediate and implement some of the new requirements.
- Review the new TSP 100 and Trust Services Criteria, and map their controls to the criteria.
- Design controls for the additional criteria that were implemented for cybersecurity risks.
- Update the report description and your report disclosures to include the service and system requirements that are consistent for all of your users.
- Log all potential incidents and evaluate if any incidents occurred that are material to achieving system commitments for potential disclosure.