Deciphering the New SOC 2 Framework
Dec. 15, 2018 is right around the corner, and any System and Organization Controls 2 (SOC 2) reports covering periods ending after that date are required by the American Institute of CPAs (AICPA) to incorporate a new SOC 2 framework. So, how will this impact the SOC 2 reports that service providers will deliver moving forward?
First and foremost, be assured that the overall purpose of the SOC 2 report will remain the same. Service organizations (and other entities) can still use the report for an independent service auditor’s opinion on whether the controls in place were properly designed and operating effectively per the criteria of selected Trust Service Categories (Security, Availability, Processing Integrity, Confidentiality, and/or Privacy) over a period of time. However, those criteria have now changed to align with the COSO 2013 Framework in an effort to integrate more easily with other compliance frameworks. It is also important to note that only SOC 2 reports will be impacted by the changes. Any SOC 1 reports that cover services explicitly impacting financial reporting will retain the same format.
Impact of New Framework
Controls Will Be Remapped
With the transition to align with the COSO 2013 Framework, new SOC 2 reports will replace the 2016 Trust Services Principles (2016 TSP) with the 2017 Trust Services Criteria (2017 TSC), which will impact the look of the controls matrix within any SOC 2 report. This change will require all previous controls to be remapped to the 2017 TSC, which may cause some confusion. To provide clarity, the AICPA has prepared a document to cross-reference the 2016 TSP and the 2017 TSC elements.
Additional Controls May Be Included
With the implementation of the new framework, any controls tested within previous SOC 2 reports will likely carry forward within new SOC 2 reports (although they will be remapped to the new criteria). However, the report may also include additional controls for two reasons:
- The AICPA has defined “Points of Focus” for each criteria, which provide multiple examples of how an organization may meet each 2017 TSC. As illustrated by the Points of Focus, the breadth of each criteria can be expansive, and as a result, a service organization may include additional controls to ensure that more aspects of the criteria are met.
- The new framework includes some elements not previously covered within SOC 2 reports. The new elements are meant to provide additional oversight for management and risk mitigation across the entire organization. Because SOC 2 reports come from organizations of varying sizes, structures, budgets, and maturity levels, there will likely be a wide variety of controls covering these new elements.
Key SOC 2 Elements to Keep in Mind
Because CSOCs and CUECs are important to the proper operation of the entire system, ensure they are covered in your SOC 2 report.
Along with sharing information about the new SOC 2 framework, the AICPA continues to emphasize several key elements during its annual SOC school training seminars. While these elements are not new, the AICPA wants service organizations, service auditors, and especially user entities, to truly understand how the report should be used to provide information on an entity’s control performances and risks.
Those elements are the following:
- Complementary User Entity Controls (CUECs): A SOC report for a service organization is considered incomplete if evaluations of CUECs are not included. That is because if CUECs at each downstream user entity do not operate effectively, failures at the service organization could occur. SOC reports need to be reviewed for any CUECs listed and user entities must verify that these controls are performed consistently.
- Complementary Subservice Organization Controls (CSOCs): Subservice organizations are additional links in the chain. User entities need to be aware of how these upstream services are addressed in their service organization’s SOC 2 report and whether additional information needs to be gathered from the subservice organizations themselves to ensure that CSOCs are performed consistently.
- Qualified Opinions: The industry expects the frequency of auditors’ qualified opinions to rise as increased scrutiny is paid to accurately assessing the risks and materiality of exceptions encountered during testing. A qualified opinion does not automatically discount the findings of a SOC 2 report. It simply indicates that a user entity must perform additional procedures to gain comfort that the qualified criteria is appropriately covered by the controls in place.
Focus on the Basics When Reviewing a SOC 2 Report
Finally, while reviewing the key elements and appearance of a SOC 2 report, it is important to remember to focus on the fundamental elements that should always be a part of the review process. When examining the report to determine whether appropriate controls were operating effectively over the test period, a reviewer should continue to evaluate the following:
- Scope of the Report: Does the report cover the services being used, and does it address the Trust Services Categories that are required (i.e., Security, Availability, Processing Integrity, Confidentiality, and/or Privacy)?
- Firm: Is a reputable firm performing the testing and issuing an opinion?
- Controls: Do controls mapped to each criteria fully meet all specifics laid out in the criteria? For example, do logical access controls address provisioning and de-provisioning of access for all computing resources, including operating systems, applications, databases, hardware, and any other elements that rely upon user authentication for security?
- Tests Performed: Is the documented testing adequate to support an opinion over the controls in question? Was sample-based testing performed or was testing simply an observation or discussion? Is management’s response reasonable and appropriate?
- Exceptions: Were exceptions noted during testing? Given the number of exceptions, the sample size, and any circumstances surrounding the exception, how extensive does the control failure appear to be?
The new SOC 2 framework will impact everyone who relies on SOC 2 reports, and there is bound to be some uncertainty as both user entities and service organizations adjust to the new requirements. For more information or to discuss any questions or concerns, please reach out to a member of our SOC Services Group.
Keeping you updated on COVID-19 and its impact on businesses and individuals.