United States

SOC reporting: Understanding key changes ahead


During 2017, the American Institute of Certified Public Accounts (AICPA) issued a number of material changes to System and Organization Controls (SOC) reporting. The majority of the changes issued in 2017 are focused on enhancing SOC 2 and 3 reports, as demand continues to grow for these reports. The new guidance issued by the AICPA must be implemented for SOC reports dated after Dec. 15, 2018, but organizations may early adopt the new standards.

The following is a summary of changes that will require updates to SOC reports:

TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (SOC 2 and 3)

To allow the Trust Services Criteria to be also used in entity wide engagements, the criteria have been aligned with the 17 principles in the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) framework. The prior TSP 100 referred to principles and criteria; whereas, the new TSP was updated to be referred to as trust services criteria. 

The Trust Services Criteria also included additional criteria to align with various cybersecurity risks. In addition, a change in terminology from principles to categories was introduced that can be selected beyond the 17 COSO principles. Those categories include the criteria common to all five of the trust service categories: security (common criteria) and additional specific criteria for the availability, processing integrity, confidentiality and privacy categories.

The AICPA updates rearrange many of the existing concepts and criteria. However, certain areas also have an increased focus including cybersecurity risks, fraud risk assessments and managing risks related to vendors and business partners, while many confidentiality aspects were pulled into the common criteria.

Description Criteria (SOC 2)

As of summer 2017, the Description Criteria have not been finalized and are awaiting public comment on the July 24, 2017 exposure draft. Currently, the Description Criteria for SOC reports are included within the AICPA SOC 2 audit guide. With the exposure draft, the Description Criteria will be published within a separate document, much like the TSP 100.

Based on the current suggested changes, the Description Criteria will have a number of key additional disclosures required within the SOC report. A summary of the material changes are below.

Service commitments and system requirements

The service organization is designing controls to achieve its objectives commensurate to its commitments and related to the services the system provides and the system requirements necessary to achieve them. Thus, to allow report users, who are not necessarily current clients of the service organization, to fully understand the controls, the description will require disclosure of the specific service commitments and system requirements that are communicated to current users of the system.

System incidents

The AICPA defines system incidents as a system event that requires action on the part of service organization management to achieve the service organization’s service commitments and system requirements. For system incidents identified during the 12-month period preceding the “as of date” or the “period end date” that resulted in a significant impairment of the service organization’s achievement of its service commitments and system requirements, the description may need to include disclosures related to those incidents. 

Other factors to consider for disclosure within the SOC report include; whether laws or regulation require public disclosure of the incident, if the incident has a material effect on the service organization’s financial position or required disclosure in a financial statement filing, and whether the incident resulted in sanctions by any legal or regulatory agency.

Next steps

Service organizations should discuss these future SOC changes with a trusted advisor to fully understand the new requirements and develop a strategic road map to meet the new standards. A few of the key items that need to be considered and performed when developing the plan are:

  • Review the timeline in which your report is typically issued, and determine if this will affect your 2018 report. Consideration could be given to moving to an earlier report     period.
  • Determine how ready your organization is today, and how long will it take you to remediate and implement some of the new requirements.
  • Review the new TSP 100 and Trust Services Criteria, and map their controls to the criteria.
  • Design controls for the additional criteria that were implemented for cybersecurity risks.
  • Update the report description and your report disclosures to include the service and system requirements that are consistent for all of your users.
  • Log all potential incidents and evaluate if any incidents occurred that are material to achieving system commitments for potential disclosure.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




The path to HITRUST for health care: Streamlining risk compliance

  • December 10, 2020


Effectively managing enterprise risk for board members

  • September 23, 2020