What is the last time your organization got a SOC report? Did you know that the compliance and reporting standards have changed? Are you sure you’ll be ready for your next examination?
As the threat landscape changes and the business community’s demand for transparency and assurance surrounding controls and processes grows, organizations have to recognize a need to evolve. And now, the AICPA has mandated it. In 2017, the standards-setting organization released the 2017 changes, which are required for reports dated on or after December 15, 2018, but available for early adoption now. You may need to supplement your organization’s internal controls – including documenting and testing them – to become compliant with the latest standards.
First things first, some naming changes. Broadly, SOC, which used to stand for Service Organization Control, now means System and Organization Controls. The “Trust Services Principles” for SOC 2 reports became the “Trust Services Criteria,” while the lower-case-p principles (security, availability, processing integrity, confidentiality, and privacy) are now the “Trust Services Categories.”
This is where the revisions start to affect the specific controls your organization needs to have in place. The Trust Services Criteria are now aligned with the COSO 2013 framework, and points of focus (clarifications) have been added to each of the criteria. Practically speaking, you need to perform a gap analysis. Map the SOC 2 controls you have in place to the 2017 Trust Services Criteria. Where your controls don’t align, you’ll need to address the gaps.
Here is an outline to help you identify gaps your organization might expect to find based on the new alignment with COSO:
CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Specifically, the board must:
- Establish oversight responsibilities
- Apply relevant expertise, or supplement their expertise where gaps exist
- Operate independently from management
CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. This entails:
- Identifying information requirements
- Capturing internal and external sources of data
- Processing relevant data into information, while maintaining quality during processing
CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. This principle gets a lot of attention. A few high-level requirements:
- Operations objectives reflect management’s choices; consider tolerances for risk; include operations and financial performance goals; and form a basis for committing resources.
- External financial reporting objectives comply with applicable accounting standards; consider materiality; and reflect the entity’s activities – that is, its underlying transactions and events – to show qualitative characteristics and assertions.
- External nonfinancial reporting objectives comply with externally established frameworks; consider the required level of precision; and also reflect the entity’s activities, within a range of acceptable limits.
- Internal reporting objectives reflect management’s choices; consider the required level of precision; and, again, reflect the entity’s activities.
- Compliance objectives reflect external laws and regulations; consider tolerances for risk; and establish sub-objectives to support the objectives.
CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control. The entity must assess changes in:
- The external environment
- The Business Model
- Systems and Technology
- Vendor and Business Partner Relationships
CC5.3 COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. The entity needs to:
- Establish policies and procedures to support deployment of management’s directives, with responsibility and accountability for executing them
- Ensure that controls are performed in a timely manner, using competent personnel
- Take corrective action where necessary
- Periodically review control activities and refresh them when necessary
CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. This means the entity:
- Uses defined configuration standards
- Monitors infrastructure and software
- Implements change-detection mechanism
- Detects unknown or unauthorized components
- Conducts vulnerability scans
CC9.1: The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. The entity must:
- Consider mitigation of risks of business disruption
- Consider the use of insurance to mitigate financial impact risks
PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. This includes:
- Identifying information specifications to support the use of products and services
- Defining data necessary to support a product of service
This outline is certainly not exhaustive, and specifics vary depending on your organization. Mapping to these or other controls is a critical activity that should happen before your next SOC exam.
If you need help assessing the gaps related to the 2017 changes, contact Mike Travis, from Peterson Sullivan’s IT Risk Services team. Mike Travis is COSO-certified and is ready to help you incorporate these changes.