SOC Reporting: Transitioning to the Revised Trust Services Criteria
By Jackie Hensgen, Julie Ganshert, and Dan Buttke, Baker Tilly
In 2017, the American Institute for Certified Public Accountants (AICPA) released updated Trust Services Criteria (TSC). System and Organization Controls (SOC) reporting relies on the TSC to evaluate and report on the controls at an organization as part of SOC 2 and SOC for Cybersecurity examinations. SOC 2 reports on the controls of the service organization relevant to technology and/or operational concerns, based on the TSC. SOC for cybersecurity reports on the controls within an entity’s cybersecurity risk management program. The AICPA has refined the TSC to increase the flexibility in their utility and better address cybersecurity risks.
Continue Reading from eInterpreter...
While the options against which to report remain the same, the naming has been changed from the five “principles” (security, availability, processing integrity, confidentiality and privacy) to “categories” within the revised TSC.
Criteria structure changes
There are significant updates to the criteria within each category, including:
- COSO: Use of the Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control - Integrated Framework (COSO framework) as a basis for the TSC. The COSO framework is a widely used and accepted internal control framework intended to be applied to internal control within 1) an entity taken as a whole, or 2) a segment of an entity.
- Added criteria: Supplemental risk management, including better alignment with cybersecurity risks, and general information technology (IT) control areas criteria were added.
- Judgment: Applying the TSC in actual situations requires judgment. Points of focus represent important characteristics for each criterion and are used to illustrate considerations and help address control design.
Common criteria changes
The common criteria are required to be included in a SOC 2 examination and service organizations should be aware of the extensive changes to the criteria as they plan for upcoming examinations. New control areas for which companies will need to add planning time include:
- Board governance: Independence, expertise, reporting
- Employee performance management: Incentives and pressures, retention, succession planning
- Consideration of certain business risks: Strategic risks, fraud risks, IT assets, third parties
- Control activities: Identifying controls to address risks, continuous monitoring and/or separate evaluations, addressing non-compliance
- Specific IT activities: Configuration management, media sanitization and disposal, increased incident response requirements
Focus areas for insurance companies
As business relationships and emerging risks continue to grow and become more complex, there is an increasing need for transparency in controls and processes. A large component of those risks include vendor management, and this continues to be a focus in the 2017 TSC. Insurers are increasingly relying on outside service organizations to support a variety of business operations and need to be able to assess and manage the risks associated with these transactions. In the new TSC, insurance organizations should review criterion CC9.2 (The entity assesses and manages risks associated with vendors and business partners) and the relevant points of focus within to evaluate or establish monitoring controls of their vendors.
In addition, regulators are putting more pressure on the security of data as evidenced by the recently issued National Association of Insurance Commissioners Insurance Data Security Model Law and the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies. Similar to these regulations, the new TSC introduces more controls over risk assessment activities to understand systems and location of data, as well as the development of an effective incident response plan which should be put in place and periodically tested.
Prepare to transition
The updated TSC will be required for SOC reports for periods ending on or after December 15, 2018. The previous version of the TSC (issued March 2016) may be used during the transition period. An organization’s examination timing may affect which TSC version is applicable. Insurance companies issuing a SOC report should examine the current timing of their 2018 SOC 2 report examination period with their service auditor. Insurance companies using SOC 2 reports to assess their vendors should understand what new components will be included within the reports under the new TSC.
As organizations transition to the new TSC, additional planning time should be incorporated into the SOC examination. Prior to the examination period, gaps will need to be assessed and new controls will need to be implemented to address the gaps from the new criteria. Existing SOC control matrix mappings will need to be updated to incorporate the changes to the common criteria. In addition to implementing additional controls to address the new criteria, organizations will need to review and enhance their existing system description to describe the additional control process. The entity should review these changes with their service auditor during the planning stage or complete a readiness assessment prior to completing the examination process.
Don’t be surprised – complete a readiness assessment
The updates to the TSC represent the most significant changes to the criteria since the inception of the SOC 2 report. We strongly recommend organizations set aside additional time during their SOC planning activities to perform a readiness assessment against the new TSC. The exact level of effort will vary by organization, depending on whether the review of the new TSC and mapping of current controls can be done in a working session with key stakeholders or if multiple iterations are needed.
A separate readiness assessment will help minimize disruption to examination and reporting activities, allowing for earlier understanding of the new TSC requirements and sufficient lead time to address new requirements with supplemental controls.
While the changes from the new TSC will impact the level of effort required for a SOC 2 examination, these changes will better position service organizations to meet the demands of the marketplace and provide greater clarity for their users.
Return to March eInterpreter
Julie Ganshert, Firm Director, Baker Tilly
(608) 240-2438 | email@example.com
Jackie Hensgen, Firm Director, Baker Tilly
(414) 777-5306 | firstname.lastname@example.org
Dan Buttke, Senior Manager, Baker Tilly
(920) 739-3348 | email@example.com