Truvantis Blog

The New SOC 2 and You: How You Should Proceed

Written by Truvantis | Feb 12, 2019 9:31:00 PM

Under mounting pressure to keep up with an ever-changing body of regulations and increased demands for transparency, The American Institute of Certified Public Accountants (AICPA) has adjusted Service Organization Control 2 (SOC 2) framework. A SOC 2 is an attestation report designed to ensure that your service providers are securely managing your organization’s data to protect both your clients’ privacy and company’s best interests. The audit encompasses a set of Trust Service Criteria (TSC) set by the AICPA for managing customer information based on five “trust service categories,” including:

  • Security: the protection of system resources and data against access from unauthorized actors
  • Availability: the accessibility of the system, products or services as outlined by a contract or service level agreement
  • Processing integrity: the extent to which system can achieve its purpose
  • Confidentiality: whether an organization’s data’s access and disclosure are limited to a specific set of people or organizations
  • Privacy: the system’s collection, use, retention, disclosure and disposal of personal information

In April 2017, AICPA updated and redefined Trust Service Criteria, and as of December 15, 2018, all SOC 2 audits must now be conducted in accordance with the new standards. In this most recent iteration, the TSC were restructured to better align with something called The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and its 17 underlying principles. With these changes, an auditee now must:

  • Demonstrate commitment to integrity and ethical values
  • Ensure that its board exercises oversight responsibility
  • Establish structures, reporting lines, authorities and responsibilities
  • Select and develop control activities that mitigate risks
  • Select and develop technology controls
  • Deploy control activities through policies and procedures
  • Perform ongoing or periodic evaluations of internal controls (or a combination of the two)

Auditors also can now evaluate control effectiveness in examinations of various subject matters, including those encompassed by the five “trust service categories” across:

  • An entire entity
  • At a subsidiary, division, or operating unit level
  • Within a function or system
  • Specific types of information used by the entity.

Additionally, the supplemental criteria, applying to the achievement of the entity's objectives relevant to the engagement, are now organized as follows:

  • Logical and physical access controls: the criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access
  • System operations: the criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations
  • Change management: the criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made
  • Risk mitigation: The criteria relevant to how the entity identifies, selects and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners

If your organization already has a SOC 2 report, conducted before the latest changes went into effect, you may need to map those controls to the new Trust Service Criteria. After you have done that, your organization may have to identify any gaps in its controls. These gaps can and often include,

  • Mitigating risks for business disruption and recovery
  • Considering fraud as a component of the risk assessment
  • Independent oversight by the board
  • Adequate protection over the destruction of assets containing sensitive information

Finally, once you have identified any gaps in your control coverage, you will probably need to address how to remediate them. These could be controls that are already in operation that were not reported on your old SOC 2 or new controls that are yet to be implemented.