Earlier this year the AICPA issued an update to the Trust Services Principles and Criteria (TSPC) impacting how SOC 2 and SOC 3 examinations are conducted and reported. It is essential for companies undergoing these examinations to understand the changes to the TSPC since they will significantly impact the examination process.
The 2014 version of the principles supersede the 2009 framework and is designed to increase criteria clarity, reduce redundancies and update criteria to match the latest business technologies.
The new framework must be implemented in all examinations for periods ending on or after December 15, 2014; however early implementation is permitted.
Key TSPC Changes
Below is a summary of the broad changes as part of the new trust principles.
Any company that has recently been involved in a SOC 2 or SOC 3 examination realizes there is a great deal of overlap in criteria for the principles, which creates redundancies. In response to the redundancies and in order to make the examination process more straightforward, the AICPA restructured the criteria for the Security, Availability, Processing Integrity and Confidentiality principles in the following ways:
- Criteria from the four principles that overlapped were combined into a new set of common criteria
- The new set of common criteria is the complete set of criteria for the security principle
- Additional criteria that are applicable to only a single principle (for the availability, processing integrity and confidentiality principles) were identified
No changes were made to the privacy principle, but it is currently under review.
Further, the common criteria have been put into categories that closely align with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. The categories include:
- Organization and management
- Risk management and controls implementation
- Monitoring of controls
- Access controls
- System operations
- Change management
Addition of Risks & Illustrative Controls
The revised framework now also provides practitioners and companies with illustrations of the risks that can prevent companies from meeting the established criteria. In addition, there are also illustrative controls that can be implemented to address the criteria. The risks and controls can be found in the AICPA’s e-book (Appendix B, Illustrative Risks and Controls), and is provided to act as a guide for all engagements.
Click here to download a copy of the new trust principles along with key illustrations.