The American Institute of Certified Public Accountants (AICPA), and more specifically the AICPA Assurance Executive Committee (ASEC), recently issued TSP Section 100, a new set of Trust Services Criteria that apply to SOC 2, SOC 3, SOC for cybersecurity engagements, and supersedes the 2016 TSP Section 100A.
When is the change effective?
SOC 2 reports can be issued under the 2016 guidance through December 14, 2018. However, any report issued on or after December 15, 2018, will be required to use the new 2017 Trust Services Criteria. However, early adoption is permitted.
What changed and why?
Formerly referred to as Trust Services Principles and Criteria, the name of the new guidance has been changed to the Trust Services Criteria.
The principal reason for issuing the updated guidance was to more closely link the TSP with the Committee of Sponsoring Organizations (COSO) 2013 Integrated Framework. This is most commonly recognized by the business community as the framework of choice to assess the design and operating effectiveness of an entity’s internal control over financial reporting. The TSP, like COSO, is used to evaluate internal controls and, more specifically, controls over security, availability, processing integrity, confidentiality, and privacy. According to the AICPA, one of the key benefits of this update was to more closely link these two essential frameworks. Additionally, the AICPA noted that the updated TSP framework allows for cybersecurity risks to be better addressed and allows for a more flexible application.
COSO Internal Control – Integrated Framework
COSO is comprised of 17 principles which are organized into 5 categories:
- Control Environment
- Communication & Information
- Risk Assessment
- Monitoring Activities
- Control Activities
As noted more specifically in COSO Principle No. 12, “The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.” By more closely linking the COSO Integrated Framework with the TSP as well as the addition of what is now referred to as the “supplemental criteria,” the new TSP augments the COSO principles in terms of evaluating internal controls over security, availability, processing integrity, confidentiality, and privacy. Particularly, TSP Section 100.5 defines the supplemental criteria as follows:
- Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access
- System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations
- Change management: The criteria relevant to how an entity identifies the need for changes, makes changes using a controlled change management process, and prevents unauthorized changes from being made
- Risk mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners
Points of Focus
Part of the COSO and TSP integration included the adoption of points of focus into the new TSP. Points of focus provide guidance and examples of important characteristics that should be considered for each control criterion. While the points of focus are new to the TSP, they have always been a part of the COSO Integrated Framework.
The TSP does not require each point of focus to be addressed, however, management should customize particular points of focus, or identify and evaluate other characteristics, based on specific facts and circumstances applicable to their system of controls. As any SOC auditor will freely admit, the application of the TSP involves judgment, and that will be crucial when reviewing the points of focus as they will not all be applicable or suitable for each service organization.
The 2017 Trust Services Criteria can be purchased from the AICPA store (which can be accessed by following this link here). Additionally, click here to download a mapping of the 2017 Trust Services Criteria to the 2016 TSP from the AICPA’s website, including the updated points of focus for each criterion.