As the December 15th deadline quickly approaches, many organizations might be thinking how they should be preparing for the new SOC 2 Trust Services Principles and Criteria (TSPC). The new SOC 2 TSPC must be used for any examination periods that end on or after December 15, 2014.
Trust Services Principles and Criteria
For organizations that have successfully completed a SOC 2 examination using the 2009 TSPC, the following steps should be considered to ensure that your organization has a smooth transition from the previous TSPC to the new TSPC.
- Review the AICPA’s SOC 2 TSPC guide and obtain an understanding of the changes that were implemented.
- Review the AICPA’s recently released TSPC mapping document, which describes how the 2009 TSPC map to the 2014 TSPC.
- Identify the criteria that your current control environment does not satisfy and develop implementation plans to either A) define new controls or B) modify existing controls.
- Meet with your independent auditor to review your control environment to ensure that your current controls meet the requirements of the new SOC 2 TSPC.
- Provide training to personnel responsible for performing new and/or modified controls, to ensure that they understand their roles.
- Monitor personnel responsible for performing new and/or modified controls, to determine if controls are properly being performed and will meet the requirements of the new TSPC.
For organizations that have not completed a SOC 2 examination and are going through the process for the first time with the new TSPC, the following steps should be considered to ensure successful completion:
- Meet with your independent service auditor to review the new SOC 2 TSPC to ensure that your organization understands the new TSPC and has sufficient resources in place to dedicate to the examination.
- Determine which trust principles (Security, Availability, Confidentiality, Processing Integrity and Privacy) should be included in the scope of the SOC 2 examination.
- Perform a readiness assessment with your service auditor to identify criteria that might not be satisfied with your current control environment.
- Develop remediation plans for criteria that are not satisfied, to ensure that appropriate controls are implemented prior to the start of your SOC 2 examination period.
- Have your auditor perform testing of controls about one month into the examination period, to identify any controls that may not be operating as intended.
- Based on your auditor’s initial testing, develop plans to remediate any issues that were identified as soon as possible.
Schneider Downs’ SOC 2 experts have completed SOC 2 examinations using the 2014 TSPC and have assisted clients in transitioning from the 2009 TSPC to the 2014 TSPC. If your organization looking is for a service auditor to assist you with your transition to the new 2014 TSPC or to assist you with your SOC 2 compliance, we invite you to visit our Service Organization Control page or to contact one of our professionals to discuss your needs.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.