Formerly known as the Trust Services Principles (TSP), the Trust Services Criteria (TSC) has gone through a few more changes than just the name.
The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) Trust Information Integrity Task Force ensures the technical accuracy of the TSC, which includes the expanding scope for organization-wide engagements and developing related services that leverage the TSC.
The ASEC keeps watch over all the changes made through the AICPA and other decision-making entities regarding System and Organization Controls (SOC) 2 reporting elements to make sure all businesses required to perform these audits have easy access any necessary information.
Explore the Two Primary Changes to the Trust Services Principles and Criteria
There are two major changes to the Trust Services Principles and Criteria for SOC 2 reporting.
1. The Name Change to Trust Services Criteria
The TSC serve as control criteria for the use in consulting engagements or attestation to assess and report on controls for information and systems. These controls may cover areas that include:
- An entire entity
- A subsidiary division or operating unit level
- Internally and within a function relevant to the entity’s operational, compliance or reporting objectives
- A specific type of information used by the entity.
Although the name Trust Services Principles and Criteria has changed to Trust Services Criteria, the five categories that encapsulate these control criteria have stayed the same under the new name, and they are:
A business’s data and computing systems are fully protected against any unauthorized access, unauthorized and inappropriate disclosure of information, and any possible damage to systems that might compromise the processing integrity, availability, confidentiality or privacy of data or systems that may affect the entity’s ability to meet its objectives.
All information and computing systems are ready and available for operation and use at all times to meet the entity’s objectives.
All system processing is complete, accurate, valid, timely and authorized to ensure that the entity meets its objectives.
Any information designated as confidential remains secure to meet the entity’s objectives.
All personal information collected, used, retained, stored, disclosed or disposed of must meet the entity’s objectives.
2. The TSC Integration with the 2013 COSO Framework
The control criteria has stayed the same under the new name, but there is another vital change to note, which is the control criteria’s integration with the 2013 COSO Framework. The COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, and the body set out to provide a framework for publicly traded companies to rigorously assess and report on the design and operating effectiveness of their internal controls each year.
As for the integration with the TSC, the ASEC removed the term “principles” from the original “Trust Services Principles and Criteria” name since the 2013 COSO Framework uses “principles” to refer to its own internal control factors. The ASEC considered this the best solution to avoid any misunderstandings between the two.
Integrating this framework into SOC 2 reporting was done with the intention of expanding the assessment environment. The 2013 COSO is used to assess the design, implementation and maintenance of internal controls and evaluate their effectiveness.
Like the TSC, the 2013 COSO Framework (COSO) also features its own internal controls. However, the controls the framework covers are unique yet complementary to the TSC’s internal controls. COSO’s internal control components include:
- Control Environment
- Risk Assessment
- Information and Communication
- Existing Control Activities
- Monitoring Activities
Additionally, service organizations’ controls are obligated to meet the 17 internal control principles that coincide and align with COSO’s five components for internal controls. Here is a closer look at the 17 control principles within COSO’s five components:
- Exhibit commitment to ethical values and integrity
- Exercise appropriate oversight responsibility
- Sets structure, authority and responsibility guidelines
- Demonstrates commitment to competency
- Enforces accountability
- Defines suitable objectives
- Identifies, investigates and analyzes risks
- Examines and assesses fraud risks
- Identifies and analyzes any significant changes
- Chooses and develops control activities
- Selects and develops controls over general technology
- Deploys control activities through policies and procedures
Information and Communication
- Selects relevant information
- Communicates internally
- Communicates externally
- Prepares and conducts ongoing and/or separate assessments
- Evaluates and communicates any issues or deficiencies found in assessments
Seeing as these internal control principles do not automatically connect to the 2016 update of the Trust Services Principles and Criteria, service organizations will most likely need to restructure their internal controls to comply with the integration.
Supplemental Criteria in Support of SOC for Cybersecurity
There is hardly a company—whether a global corporation or a small business—that does not need to consider cybersecurity risks and SOC for Cybersecurity. The ASEC has considered the ever-increasing risks of online business transactions and other communications and has added some supplemental criteria to address evaluating those risks:
- System Operations. The way that service organizations handle the operation of their systems in order to monitor, detect and mitigate security incidents.
- Logical and Physical Access Controls. The ways that service organizations implement logical and physical access controls that serve to prevent unauthorized access and protect data assets.
- Change Management. How service organizations evaluate and determine necessary changes in infrastructure, data, software and procedures, which gives them the ability to securely make changes and prevent unauthorized changes.
- Risk Mitigation. The way that service organizations identify, choose and develop risk mitigation strategies for risks that may involve vendors, business partners and any other possible disruptions.
Why Are the Trust Services Criteria and 2013 COSO Framework So Important to SOC Reporting?
Working with service organizations has become standard operating procedure for most businesses these days. Even smaller companies often outsource some aspect of their business for matters like cloud storage or payroll, so everyone who engages these valuable resources must protect their vital and confidential information and technology.
The TSC offers CIOs and other business leaders a clear set of guidelines to work confidently with service organizations while protecting their interests.
Do You Feel Confident About the New Trust Services Criteria Changes and How They Might Affect Your Business?
Have you heard about these changes to the original Trust Services Principles and Criteria? If it is all new to you and you could use a little extra explanation or help, our I.S. Partners, LLC. team has it all under control. We can help you determine the principles that are relevant to your organization and that you need to address for your upcoming SOC 2 audit.
This post was originally published on December 10, 2015 and has since been modified to reflect the most up-to-date information.