SOC 2 Reporting - Help is on the Way!

Do you struggle with the Trust Services Principles and Criteria (TSPC) that are used as the basis for evaluation of controls relevant to security, availability and processing integrity of a system and the confidentiality and privacy of the information processed by the system?  The TSPC criteria were established by the AICPA for practitioners when providing attestation (i.e., SOC 2 reports) or consulting services (i.e., control assessments).  If you are like many of us who use the TSPC for SOC 2 reports or have to review SOC 2 reports to assess the security and controls of a third-party service provider, they can be redundant and complex.  The good news is that an updated version of the TSPC is just over the horizon!  The update provides clarity of the criteria, eliminates redundancy among the criteria and is more relevant to the changing technology environment.

The Assurance Services Executive Committee (ASEC) of the AICPA assembled a Trust Information Integrity Task Force to undertake the significant effort to revise the TSPC.  The exposure draft was released and comment period has occurred with the expected release date of the updated TSPC to be issued in January 2014.  The revised TSPC are expected to be effective for periods on or after March 15, 2014.  The only exception to the newly revised TSPC is the exclusion of the privacy principle contained in the generally accepted privacy principles (GAPP), which are being revised as a separate initiative.

This new revision has been restructured into (1) the criteria that are applicable to all four principles (common criteria) and (2) criteria applicable only to a single principle. The common criteria constitute the complete set of criteria for the security principle. For the principles of availability, processing integrity and confidentiality, a complete set of criteria is composed of all of the common criteria and all of the criteria applicable to the principle(s) being reported on. The common criteria are organized into seven categories following the key concepts of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. In addition, the TSPC will also include “Illustrative Risks and Controls,” to provide examples of risks that may prevent the criteria from being met as well as examples of controls that would address those risks.  This new TSPC should provide the clarity and relevant applicability needed for more effective control criteria and assist in providing more beneficial results.

If you have questions about SOC 2 reporting, please contact a member of our SOC Team.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

The Privacy of Consumer Banking Data and the Financial Data Exchange
National Flood Insurance Program Extension
Continued Compliance with CAISO SQMD Requirements in Non-Reporting Years
Bill S. 1564 Calls for Delay of CECL Implementation Until a Quantitative Economic Impact Study is Completed
Artificial Intelligence in Higher Education
Why Higher Education Institutions Must Comply with GDPR

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102