The AICPA’s Trust Services Principles and Criteria (TSPC) were revised in January 2014 and must now be incorporated into all SOC 2 and 3 examinations for periods ending after December 15, 2014. Only the Trust Services Principles – security, availability, processing integrity and confidentiality – were affected. The Generally Accepted Privacy Principles (GAPP) are currently under revision, and therefore the GAPP versions published as of 2009 are still in effect.
Why the Change?
SOC 2 examination reports, first released in 2011, leverage the TSPC, which were designed for SysTrust and WebTrust reports in the late 1990s. The TSPC were not designed for presentation purposes in the way that they are presented in SOC 2 reports whereby the service organization and its auditor must disclose each of the internal controls used to fulfill the applicable criteria for each principle being reported upon, the test procedures used to assess operating effectiveness, and the results of those tests.
Each principle was designed based on the criteria for the trust services principle of security. As a result, redundancy occurs between the criteria for each principle. When service organizations and auditors align control activities and test procedures for disclosure in their reports, the result becomes a repetitive listing of controls, test procedures and results. This information is typically presented in the service auditor’s portion of the report and can create confusion for both the user of the report and the service auditor publishing the report. The revisions to the TSPC are intended to correct these issues for future SOC 2 reporting.
Users of SOC 3 reports may not notice these changes in the same light since SOC 3 reports do not disclose the alignment between necessary criteria and the service organization’s internal controls.
What are the changes?
The most significant change to the TSPC is that the criteria for the security, availability, processing integrity and confidentiality principles are now organized into:
- Criteria that are applicable to all four principles (common criteria) and
- Criteria unique to a single principle.
The common criteria (1 only) constitute the complete set of criteria for the security principle. For the principles of availability, processing integrity and confidentiality, a complete set of criteria is comprised of all common criteria and all criteria unique to the principle(s) being reported on (1 + 2). In addition, the criteria themselves have been modified to better reflect the current needs of the report users. Although most of the old criteria align with the new criteria, there are aspects of the new criteria that were not previously addressed.
What will the impact be?
These changes aim to streamline SOC 2 reports since the common criteria, management’s internal controls used to fulfill those criteria, the test procedures and the results will not have to be repeated for each principle of focus. This should improve the understandability and overall quality of SOC 2 reports moving forward.
Organizations currently receiving SOC 3 reports will not recognize these impacts since their reports do not include disclosures about the specific control activities that management and the service auditor have evaluated for each of the relevant criteria. However, whether an organization receives a SOC 2 or a SOC 3 report, the revisions to the criteria themselves may result in gaps in control coverage against the new TSPC.
What to do?
If an entity is currently engaged with a service auditor, they should request for the auditor to provide mapping between the old and new criteria. Unfortunately, there is no authoritative mapping as yet from the AICPA, so service auditors and the service organizations they serve will have to rely on judgment. The service organization will need to realign their control activities with the new criteria, leveraging the mapping provided by their service auditor. Entities should collaborate with their auditors to evaluate any potential gaps and the applicable impact on the current reporting period. Assuming that any gaps identified are manageable, they should consider implementing the revised TSPC in the current reporting period in order to receive the benefits of streamlined, improved reporting.
Service organizations new to SOC 2 and 3 reporting should adopt the revised TSPC as soon as possible to avoid the challenges associated with implementing criteria according to the previous TSPC and then having to convert in 2015.
Also, SOC 2 and 3 report users need to be aware that the revisions in the TSPC may result in changes to the internal controls identified and tested in the reports they receive from their service providers. This may impact users’ assessments of internal controls at their key service providers and any mappings they do to their own internal control requirements.