The American Institute of Certified Public Accountants (AICPA) Assurance Executive Committee (ASEC) has recently released a new set of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP Section 100) for SOC 2, SOC 3, and SOC for Cybersecurity engagements which supersedes the 2016 TSP Section 100A Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Though the AICPA shortened the name from Trust Services Principles and Criteria to Trust Services Criteria, the acronym TSP remains the same, and the guidance is still included in TSP Section 100. Additionally, the five trust services categories (Security, Availability, Processing Integrity, Confidentiality, and Privacy) remain the same, and the basic definitions of each are not changed in the 2017 guidance.

Required 2017 Trust Services Criteria Date
SOC 2 reports with periods ending on or before Dec. 15, 2018, may be issued using the 2016 Trust Services Criteria. The 2017 Trust Services Criteria are required for reports with periods ending on or after Dec. 16, 2018.

Key Benefits of the Criteria Change 
According to the AICPA, there are three key benefits from this new criteria change:

  1. Align the Trust Services Criteria with the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework
  2. Address cybersecurity risks more thoroughly
  3. Increase flexibility in application

COSO Internal Control – Integrated Framework
The new Trust Services Criteria have been aligned to the 17 principles in the COSO Internal Control – Integrated Framework, which was revised in 2013 by COSO to assess the design and overall effectiveness of an entity’s internal control over financial reporting. The 17 principles are grouped into the following five categories:

  • Control Environment
  • Communication and Information
  • Risk Assessment
  • Monitoring Activities
  • Control Activities

In addition to the 17 principles, the Trust Services Criteria include additional criteria supplementing COSO principle 12: The entity deploys control activities through policies that establish what is expected and procedures that put policies into action (supplemental criteria). The supplemental criteria, which are included in TSP Section 100.05, are organized as follows:

  • Logical and physical access controls. The criteria relevant to how an entity restricts logical and physical access, provides and removes that access and prevents unauthorized access
  • System operations. The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations
  • Change management. The criteria relevant to how an entity identifies the need for changes, makes changes using a controlled change management process, and prevents unauthorized changes from being made
  • Risk mitigation. The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners

Points of Focus
Applying the trust services criteria in actual situations requires judgment; therefore, points of focus have been assigned to each criterion. It should be noted not all points of focus will be suitable or relevant to each service organization.

Management may customize a particular point of focus or identify and consider other characteristics based on their specific circumstances. Use of the trust services criteria does not require an assessment of whether each point of focus is addressed. Click here to download a mapping of the 2017 Trust Services Criteria to 2016 from the AICPA’s website which includes the points of focus for each criterion.

Management of service organizations should review the points of focus and compare to their current controls to assess if the trust services criteria will be achieved. At Barnes Wendling, our experienced SOC team, who are dedicated to providing high-quality internal control services can help you prepare for the new guidance.