Organizations should carefully review and assess major impacts on SOC 2® reports
In response to the recent updates in the underlying attestation standards for examinations in SSAE No. 18, Attestation Standards: Clarification and Recodification (SSAE 18), the new 2017 Trust Services Criteria and the 2018 Description Criteria, the American Institute of Certified Public Accountants (AICPA) has released additional guidance for practitioners as it relates to SOC 2® reporting on a service organization’s controls over security, availability, processing integrity, confidentiality and privacy of personal information on the service organization’s system. It will serve as the basis for CPAs to help organizations understand the effect of these new standards and help service organizations transition to the new criteria. In particular, the implementation guidance for the 2018 Description Criteria provides specific examples for each criteria, which will be helpful in application.
Why the new guidance matters
SOC 2® reports play an important role in the oversight of an organization, vendor management programs, internal corporate governance and risk management processes. As vendor management has taken higher priority among most organizations, the SOC 2® reporting framework has become a useful and efficient tool to provide insight on and assurance regarding a service organization’s system to external IT risk and compliance stakeholders. This new guidance enhances these important roles and consolidates the various reporting and criteria updates.
Which guidance effective date applies to you?
The AICPA SOC 2® guide is effective as of Jan. 1, 2018. The guide includes updates from SSAE 18 that are effective now; however, much of the guidance is related to implementing the 2018 Description Criteria and the 2017 Trust Services Criteria (which are effective for reports with examination periods ending after Dec. 15, 2018). Service auditors will need to apply judgment on how to adopt some of these elements for SOC 2® reports with periods ending before Dec. 15, 2018.
Key SOC 2® guide highlights for reports with periods ending on or before Dec. 15, 2018:
- The guide provides more clarity between the privacy and confidentiality criteria. Privacy is only applicable to personal information as opposed to confidentiality, which covers various types of sensitive information.
- There is an increased focus on vendor management and monitoring. Service organizations must state their vendor monitoring controls in the SOC report. Service organizations should revisit and augment their vendor management procedures to formally demonstrate these controls.
- If an organization uses a subservice organization (vendors are classified as subservice organizations when the controls at the vendor are necessary in combination with the service organization’s controls to meet organization’s service commitments and system requirements), the complementary subservice organization controls expected to be implemented at the carved-out subservice organizations are required to be disclosed.
- There is an increased focus on monitoring of controls. Organizations and auditors should evaluate whether there are sufficient monitoring processes in place around the controls and if there is appropriate evidence supporting these monitoring activities.
Significant impact on reports for periods ending after Dec. 15, 2018, under the 2018 Description Criteria:
- Service organizations must define their principal service commitments and system requirements made to user entities and state them in the description. These service commitments and system requirements need to be defined during the planning stage of the examination and should be included in the service auditor’s engagement letter. During the examination, the service auditors will, in turn, be required to determine if controls were suitably designed and operating effectively (in a Type 2 examination) to provide reasonable assurance that service commitments and system requirements were achieved based on the applicable trust services criteria.
- New description criteria require disclosures about system incidents as of the date of the description (Type 1) or during the period of time covered by the report (Type 2). Organizations and service auditors will need to work together to ensure there is a sufficient process for identifying this information. While not required for period ending prior to Dec. 15, 2018, a good working process should be defined prior to the start of the service organization’s reporting period.
Connect with us.
Download our e-book “System and Organization Controls (SOC): A guide to transitioning to the new Trust Services Criteria”. For more information, contact Baker Tilly’s SOC practice.