The AICPA’s Assurance Services Executive Committee (ASEC) Trust Information Integrity Task Force ensures the technical accuracy of the TSC. The ASEC keeps watch over all the changes made through the AICPA and other decision-making entities regarding System and Organization Controls (SOC) 2 reporting elements. Their mission is to make sure all businesses required to perform SOC audits have easy access all the necessary information.
The AICPA’s ASEC published a SOC 2 reporting update that included a new set of 2017 Trust Services Criteria and integration with the 2013 COSO Framework. This article details the changes that resulted from the reporting update and how the TSC is shaping SOC 2 reporting to this day.
Are the TSP Different from the TSC?
A few years ago, the name “Trust Services Principles” for SOC 2 reporting was changed to “Trust Services Criteria.” But the concept remains the same—offering a framework for assessing the controls related to information and systems and reporting on them. Plus, the five categories encompassed in the framework have remained the same.
What is the Trust Services Framework?
The Trust Services framework is constructed of the Trust Services Criteria. The TSC are control criteria for assessing and reporting on controls for information and systems. They are meant to be used in consulting engagements or attestations.
These controls may cover areas that include:
- An entire entity.
- A subsidiary division or operating unit level.
- Internally and within a function relevant to the entity’s operational, compliance or reporting objectives.
- A specific type of information used by the entity.
What are the 5 Trust Services Criteria for SOC 2?
The five TSPs required for SOC 2 reporting are security, availability, processing integrity, confidentiality, and privacy. Since December 2018, all SOC 2 audits must comply with these five criteria outlined TSP Section 100.
- Security – A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
- Availability – All information and computing systems are ready and available for operation and use at all times to meet the entity’s objectives.
- Processing Integrity – All system processing is complete, accurate, valid, timely and authorized to ensure that the entity meets its objectives.
- Confidentiality – Any information designated as confidential remains secure to meet the entity’s objectives.
- Privacy – All personal information collected, used, retained, stored, disclosed or disposed of must meet the entity’s objectives.
How Do the TSC Integrate the 2013 COSO Framework?
Another vital change to note is the control criteria’s integration with the 2013 COSO Framework. The COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, and the body set out to provide a framework for publicly traded companies to rigorously assess and report on the design and operating effectiveness of their internal controls each year.
As for the integration with the TSC, the ASEC removed the term “principles” from the original “Trust Services Principles and Criteria” name since the 2013 COSO Framework uses “principles” to refer to its own internal control factors. The ASEC considered this the best solution to avoid any misunderstandings between the two.
Integrating this framework into SOC 2 reporting was done with the intention of expanding the assessment environment. The 2013 COSO is used to assess the design, implementation, and maintenance of internal controls and evaluate their effectiveness.
Like the TSC, the 2013 COSO Framework also has its own internal controls. COSO controls are unique, yet complementary to the TSC’s internal controls. COSO’s internal control components include:
- Control Environment – The control environment should exhibit a commitment to ethical values and integrity, competency and enforcing accountability. It should also have appropriate oversight and guidelines for structure, authority and responsibility.
- Risk Assessment – Risk assessments must have suitable objectives. They must outline the identification, investigation, and analysis of risks, including fraud risk and significant changes.
- Information and Communication – This set of controls governs the selection of relevant information and appropriateness of internal and external communication.
- Existing Control Activities – These controls cover the selection and development of control activities and general technology, as well as the deployment of activities through policies and procedures.
- Monitoring Activities – These outline the need for preparing and conducting ongoing or separate assessments, as well as the evaluation and communications of issues and deficiencies identified by assessments.
Is a Business Required to Address All Criteria in a SOC 2 Report?
Contrary to popular belief, businesses are not necessarily required to address each of the five of the Trust Services Criteria, plus the five COSO principles. Reviews and audits may be limited to the relevant principles if a business is performing an outsourced service.
How Is SOC for Cybersecurity Addressed by the TSCs?
There is hardly a company—whether a global corporation or a small business—that does not need to consider cybersecurity risks and SOC for Cybersecurity. The ASEC has considered the ever-increasing risks of online business transactions and other communications and has added some supplemental criteria to address evaluating those risks:
- System Operations – The way that service organizations handle the operation of their systems in order to monitor, detect and mitigate security incidents.
- Logical and Physical Access Controls – The ways that service organizations implement logical and physical access controls that serve to prevent unauthorized access and protect data assets.
- Change Management – How service organizations evaluate and determine necessary changes in infrastructure, data, software and procedures, which gives them the ability to securely make changes and prevent unauthorized changes.
- Risk Mitigation – The way that service organizations identify, choose and develop risk mitigation strategies for risks that may involve vendors, business partners and any other possible disruptions.
Why Are the Trust Services Criteria and 2013 COSO Framework So Important to SOC Reporting?
Working with service organizations has become standard operating procedure for most businesses these days. Even smaller companies often outsource some aspect of their business for matters like cloud storage or payroll, so everyone who engages these valuable resources must protect their vital and confidential information and technology.
The TSC offers CIOs and other business leaders a clear set of guidelines to work confidently with service organizations while protecting their interests.
What Is SOC2 Compliance?
SOC2 is a protocol that defines criteria for managing customer data based on five Trust Service Criteria. These principles are: security, privacy, accessibility, processing integrity and confidentiality. The requirements for SOC2 certification are unique to each organization that seeks it. They are based on the unique character of the organization and the sensitive information that that organization handles.
Audits for SOC2 certification are administered by licensed CPA firms, like I.S. Partners. But, before you are ready to get compliant, you need to understand what sort of data you are handling and how it is categorized within the Trust Service Criteria.
Related article: 4 Critical Practices for SOC 2 Compliance.
How Data Covered by the Trust Service Criteria Is Categorized?
The data that is handled under the TSC can basically be broken into three broad categories based on how important it is to safeguard that data. The more important it is to protect data, the stricter its categorization. We break the categories into three basic levels:
- Public – Public data is any data that is, or can safely be, publicly known. Would you publish it on a postcard? This is public data. Examples can include your address, store hours, identity of your CEO and the like. There is no obligation to take any special effort to protect this data, as it is readily available.
- Internal – Internal data is data that should not be spread outside the internal workings of the company. This data, if leaked, could cause moderate risk or damage to the business. Examples of internal data includes company handbooks and policies, encryption keys and API keys. This information could be used in a way that is harmful, but the harm that can be done is limited.
- Confidential – Confidential data is the data that, if it were released improperly, could cause the company severe harm. This harm could be financial, or it could be to the reputation of the company. Examples of confidential data include credit card information, prospective customer lists, data from inside your CRM, customer passwords, financial reports and confidential data entrusted to you by your customers.
Some companies create additional data categories, such as Restricted categories that handle information like credit card numbers. However, the more complex a data categorization system is, the better the chances that data will be categorized incorrectly. While there’s not a lot of risk in, say, categorizing something that is public data as internal, it can be very damaging to apply a less stringent label to a piece of data that could do a lot of harm if it got out into the wild.
Defining How the Trust Services Criteria Affects Your Business
Contact I.S. Partners, LLC to work with an experienced CPA in defining how the TSCs impact your business and preparing for a successful SOC audit.
This post was originally published on December 10, 2015 and has since been modified multiple times to reflect the most up-to-date information.