IT Insights TSP Criteria Updates
Updated TSP criteria changes SOC 2 reporting IN MARCH 2016, the American Institute of Certified Public Accountants (AICPA) released updates to the Trust Services Principles (TSP) section 100 criteria used to obtain assurance over outsourced services that are relevant to user entities, but non-financial in nature. The updated criteria take effect for Service Organization Controls (SOC) reports issued on or after December 15, 2016, with early adoption permitted. This update follows revisions previously made to TSP section 100 in 2014. SOC reports first took effect in 2011 and were introduced by the AICPA as a replacement for the SAS 70 report. Three SOC report categories were introduced. A SOC 1 report pertains to controls relevant to a customer organization’s internal control over financial reporting (ICFR). A SOC 2 report is widely used by auditors to attain assurance for services that do not directly relate to ICFR. The SOC 2 report encompasses the following five trust services principles (TSP): • • • • •
Security Availability Processing Integrity Confidentiality Privacy
A SOC 2 report does not have to address all five TSP and will typically focus on the principles most relevant to the service organization’s customers. A SOC 2 Type 1 report includes a description of the organization’s system, a CPA’s opinion on the fairness of presentation of the description, and suitability of the design to achieve the criteria necessary to fulfill the principles being reported upon. A SOC 2 Type 2 report includes those items as well as descriptions of tests performed by the auditor and test results to assess the effectiveness of controls during a specified period of time. The SOC 2 report is generally used for providing the highest level of assurance for non-ICFR concerns. A SOC 3 report also focuses on the five TSP, but is more of a general use report. A SOC 3 report is shorter and less detailed than a SOC 2 report and is shared openly, with a website seal illustrating a service organization’s compliance with SOC 3 requirements. The multiple updates within recent years reflect technological changes, increased use of service organization offerings (including SaaS and other cloud services), and the corresponding need to attain assurance amid heightened technology-related risk. The restructured Privacy principle in the 2016 TSP section 100 updates emphasizes the importance of properly handling personal information concerns, too.