A leaner SOC 2
What the AICPA’s new SOC 2 guidelines mean to your organization
If your organization provides services that include handling valuable data, the success of your business may depend on your ability to demonstrate effective internal controls. To meet this need for assurance, the American Institute of Certified Public Accountants (AICPA) introduced Service Organization Controls (SOC) reporting in 2011. While SOC reporting included three different reporting options: SOC 1, SOC 2 and SOC 3, SOC 2 was designed specifically to meet an entirely new type of assurance — assurance over controls not related to financial reporting.
Now, just three years into SOC 2 reporting, the AICPA has made a comprehensive effort to improve SOC 2 reporting standards. Why did SOC 2 need a comprehensive overhaul? How will these changes affect your organization?
We spoke with Brian Beal, manager of business process assurance services at Sensiba San Filippo LLP, to discuss what service organizations need to know about the changes to SOC 2.
Why were SOC 2 standards updated and why was the update important?
While the original SOC 2 provided a critical assurance tool, users of SOC 2 found it too difficult to administer and understand. A SOC 2 evaluation could cover any or all of five Trust Service Principles (TSPs), which included security, availability, processing integrity, confidentiality and privacy.
Some organizations may have only desired a report to cover one of the TSPs, but other organizations needed assurance in multiple areas. While the TSPs could have shared many common test criteria, the initial SOC 2 procedures required time-consuming redundancy in testing these criteria, meaning that testing for multiple TSPs could be extremely costly and drain resources.
Additionally, end users of SOC 2 reports found them to be voluminous and difficult to understand. If the reports were too complex for readers, it was difficult for them to achieve their original objective, which is to provide assurance to users of the reports.
What were the biggest changes to SOC 2?
The new guidelines have made SOC 2 reporting simpler, more efficient and more useful. First, the list of five original TSPs has been shortened to four, as privacy follows the generally accepted privacy principles (GAPP) and is being revised separately. Next, redundancy in testing has been significantly reduced as more than 120 testing criteria have been reduced to 28 core ‘criteria common to all principles.’ Now, each TSP starts with the same basic 28 principles. Testing for availability requires three additional criteria, while processing, integrity and confidentiality each require six additional criteria. Whether you are testing for one TSP or multiple, the testing process will now be less painful.
In addition to simplifying the testing process, the format of the actual report will change as well. A new risk assessment element can now be used to identify risks and correlate those risks with the criterion being examined. Risks will be documented within the SOC 2 final report in order to show how each control is specifically mitigating the risk identified. The result is a clearer, more valuable report for both service organizations and stakeholders.
How will the changes improve the evaluation process?
The nature and intent of the SOC 2 report hasn’t changed. The new guidelines simply seek to clarify and solidify the array of control criteria. The process should now be simpler, reports should be more consistent and the entire process should provide greater value to both service organizations and stakeholders.
What actions do I need to take?
The 2014 version of SOC 2 is already published and supersedes the previous version for periods ending on or after Dec. 15, 2014, while the AICPA is encouraging early implementation. Be sure your next SOC 2 report is utilizing the newly released standards. The process and the result should be significantly improved.