OUR THOUGHTS ON:

SOC 2 Reporting - Help is on the Way!

Risk Advisory/Internal Audit

By Frank Dezort

Do you struggle with the Trust Services Principles and Criteria (TSPC) that are used as the basis for evaluation of controls relevant to security, availability and processing integrity of a system and the confidentiality and privacy of the information processed by the system?  The TSPC criteria were established by the AICPA for practitioners when providing attestation (i.e., SOC 2 reports) or consulting services (i.e., control assessments).  If you are like many of us who use the TSPC for SOC 2 reports or have to review SOC 2 reports to assess the security and controls of a third-party service provider, they can be redundant and complex.  The good news is that an updated version of the TSPC is just over the horizon!  The update provides clarity of the criteria, eliminates redundancy among the criteria and is more relevant to the changing technology environment.

The Assurance Services Executive Committee (ASEC) of the AICPA assembled a Trust Information Integrity Task Force to undertake the significant effort to revise the TSPC.  The exposure draft was released and comment period has occurred with the expected release date of the updated TSPC to be issued in January 2014.  The revised TSPC are expected to be effective for periods on or after March 15, 2014.  The only exception to the newly revised TSPC is the exclusion of the privacy principle contained in the generally accepted privacy principles (GAPP), which are being revised as a separate initiative.

This new revision has been restructured into (1) the criteria that are applicable to all four principles (common criteria) and (2) criteria applicable only to a single principle. The common criteria constitute the complete set of criteria for the security principle. For the principles of availability, processing integrity and confidentiality, a complete set of criteria is composed of all of the common criteria and all of the criteria applicable to the principle(s) being reported on. The common criteria are organized into seven categories following the key concepts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. In addition, the TSPC will also include “Illustrative Risks and Controls,” to provide examples of risks that may prevent the criteria from being met as well as examples of controls that would address those risks.  This new TSPC should provide the clarity and relevant applicability needed for more effective control criteria and assist in providing more beneficial results.

If you have questions about SOC 2 reporting, please contact a member of our SOC Team.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments