What Are the Trust Services Criteria and Categories?

To comply with the System and Organization Controls (SOC) 2 reporting requirements, auditors must evaluate whether controls at the service organization meet the applicable trust services criteria (TSC), which can relate to a broad range of systems. As defined by the American Institute of Certified Public Accountants (AICPA), the TSC include five categories.

TSC categories:

  • Security (or common criteria) – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. 
  • Availability – Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

The AICPA requires the application of the TSC for every SOC 2 engagement. Since security is a common component of each of the five categories, a SOC 2 engagement must cover security as a minimum requirement. These security requirements are also referred to as the common criteria and are applicable to all SOC 2 examinations.  

Organizations can exercise discretion regarding which of the remaining categories they apply. The application of availability, processing integrity, confidentiality, and privacy depends on:

  • Organization’s industry sector
  • Types of services it provides
  • Customer contracts, service level agreements, and their stipulations
  • Key stakeholder requirements
  • Types of data that the service organization maintains or stores
  • Criticality of operational tasks or processing activities

With certain exceptions, such as an engagement with a limited scope or the non-applicability of certain criteria, every criterion should be analyzed and included in the report. Regardless of the categories included within the scope of the examination, SOC 2 reports are restricted use reports, meaning that only the organization, its customers, and certain other parties should use them. 

SOC 2 reports can help organizations:

  • Improve oversight
  • Demonstrate a commitment to data protection and risk management
  • Streamline compliance with additional regulations
  • Establish and maintain security as a competitive advantage

 

Schneider Downs employs a unique approach to SOC reports, integrating the expertise of information technology, internal audit, and external audit professionals. By combining cross-disciplinary knowledge and project management expertise, we are able to effectively deliver on our clients’ expectations. If you are interested in learning how we can assist your organization, please contact us to get started or learn more about our practice at www.schneiderdowns.com/soc

 

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Benefits of a Trusted Co-Source Audit Partner During the Great Resignation
Depp v. Heard – IP Damages Expert Makes Red-Carpet Appearance
United States Deals with Baby Formula Shortage
Business Continuity and Disaster Recovery Planning
Inflation Tracking and Cost Pass-through Analysis
What Should a Service Organization Consider When Determining Its SOC Report Testing Period?
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×