OUR THOUGHTS ON:

SOC 2 Reports: Revised Trust Services Principles and Criteria with the AICPA Mapping

SSAE 16/SOC

By Troy Fine

The AICPA Assurance Services Executive Committee (ASEC) has recently released the revised version of the Trust Services Principles and Criteria (TSPC) that are to be used in evaluating controls relevant to the security, availability and processing integrity of a system, and the confidentiality and privacy of the information processed by the system. The changes made to the TSPC are broad-based changes, but mainly organizational in nature.

The 2014 version of the Trust Services Principles and Criteria supersedes the 2009 version and is effective for periods ending on or after December 15, 2014, with earlier implementation permitted.  Practitioners are responsible for identifying which version of the criteria was used for the report and assertion for periods ending prior to December 15, 2014.  The criteria set for the privacy principle is still under revision and have not been updated.

If your organization has a SOC 2 report or has considered performing one, you may have noticed that there was quite a bit of overlap between many of the TSPC.  To reduce this redundancy, the criteria that were applicable to all four principles (Security, Availability, Processing Integrity and Confidentiality) in the 2009 version of the TSPC have been integrated into a single set of criteria.  This single set of criteria was developed using the Security Principle as the baseline, and is now referred to as the Common Criteria.  The set of criteria relative to Availability, Processing Integrity and Confidentiality no longer includes the criteria relative to the Security principle.   However, evaluations of systems relative to one of these criteria must include the set of Common Criteria plus any criteria that are unique to Availability, Processing Integrity and/or Confidentiality.  The criteria for all principles, excluding privacy, have been updated to ensure that the criteria appropriately address the risks relative to each principle being reported on.

Additionally, the 2009 version organized the criteria into four broad areas (Policies, Communications, Procedures and Monitoring), while the 2014 version now organizes the Common Criteria into seven categories.  The seven categories are defined below:

2014 TSPC Categories

  1. Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units.

  2. Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.

  3. Risk management and design and implementation of controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.

  4. Monitoring of controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.

  5. Logical and physical access controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.

  6. System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.

  7. Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.

UPDATE:  The AICPA recently released the "Trust Services Criteria Mapping", which details how the 2009 trust services criteria relates to the 2014 trust services criteria.

For more information on the revised Trust Services Principles and Criteria, please contact a member of our SOC team.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments