Strategies for Service Organizations to Prepare for the New SOC 2 Reporting Requirements

Service Organizations that undergo a SOC 2 examination or are currently preparing to have one performed, should be aware of the recently updated requirements and how their pending SOC 2 examinations will be impacted. The specific changes pertain to the updated 2017 Trust Services Criteria (TSC) and the 2018 SOC 2 Description Criteria (DC). For more information on the specifics of these changes, refer to our recent SOC 2 update article.

When the SOC 2 as-of date for a Type 1 report or the period-end date for a Type 2 report is on or after December 16, 2018, the 2017 TSC and the 2018 DC must be used. If the as-of date or the period-end date is on or before December 15, 2018, then either version of the TSC (2016 or 2017) and DC (2015 or 2018) may be used. Keep in mind, that the 2018 DC were intended to be used with the 2017 TSC. Therefore, if a service organization uses the 2018 DC, then it must use the 2017 TSC.

With the effective date right around the corner, service organizations might be wondering how to best prepare. Below, we will walk through the steps service organizations should perform in order to prepare for these updates, based on different scenarios.

  • Scenario 1 - A service organization issued a SOC 2 report under the 2016 TSC and 2015 DC and the SOC 2 examination period-end date is on or before 12/15/18:
    • Perform next examination under 2016 TSC and 2015 DC.
    • Perform a readiness assessment under the 2017 TSC and 2018 DC to identify new controls that will need to be implemented to meet the 2017 TSC and 2018 DC requirements for the following year’s SOC 2 examination
       
  • Scenario 2 – A service organization issued a SOC 2 report, or completed a readiness assessment, under the 2016 TSC and 2015 DC and the SOC 2 examination period-end date is on or after 12/16/18:
    • Map current controls to the 2017 TSC, identify control gaps and implement controls, as necessary.
    • Determine if controls and system description meet the 2017 TSC and 2018 DC.
    • If yes, leave report period-end date as is and perform examination under the 2017 TSC and 2018 DC.
    • If no, determine if moving up the report period-end date to on or before 12/15/18 is an option.
      • Base this decision off of customer requirements.
      • If end date cannot be moved up, the service organization will have to perform the examination under the 2017 TSC and 2018 DC
        • The service organization risks having pervasive exceptions, thus causing the SOC 2 report to be qualified.
      • If end date can be moved up, the service organization should move the report period-end date up.
        • In addition, the service organization should perform a readiness assessment under the 2017 TSC and 2018 DC to identify new controls that will need to be implemented to meet the 2017 TSC and 2018 DC requirements for the following year’s SOC 2 examination
           
  • Scenario 3 – A service organization is in the process of evaluating CPA firms to perform a SOC 2 examination;
    • Evaluate CPA firms and ask if they have issued any reports under the 2017 TSC and 2018 DC.
    • Engage a CPA firm to perform a readiness assessment using the 2017 TSC and 2018 DC.

Schneider Downs has converted several of its clients over to the new SOC 2 requirements. In addition, we have early-adopted the updated SOC 2 requirements and have issued SOC 2 reports for new clients using the updated SOC 2 requirements.

For more information on how to prepare for the impending SOC 2 changes, please visit our SOC FAQs page or feel free to contact a member of our SOC Reporting team.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
The Impact of the Baltimore Key Bridge Disaster on Supply Chain
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
IPE 101 – Defining and Understanding Information Produced by Entity
SEC Adopts Final Climate Disclosure Rules
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×