This webinar was hosted by McKonly & Asbury Partner, Michael Hoffner and Senior Managers, Josh Bantz and Samuel BowerCraft.
The webinar reviewed he new Trust Services Criteria that will be effective for SOC 2 and SOC 3 reports issued after December 15, 2018. The emphasis of this webinar was on evaluating the changes to the criteria, impacts on the report, and processes and procedures for transitioning from the 2016 Criteria to the 2017 Criteria. The presenters looked in-depth at how clients should map their controls from the 2016 Trust Services Criteria to the 2017 Trust Services Criteria including challenges with the new criteria.
1. Navigating the new Trust
Services Criteria
Michael Hoffner , CPA
Joshua Bantz, CPA
2.
3.
4. Navigating the new Trust
Services Criteria
Michael Hoffner , CPA
Joshua Bantz, CPA
5. Introduction
Mike Hoffner, CPA
• Partner and Service Organization Controls (SOC) Leader
• Serves Manufacturing/Distribution, Construction and
Engineering Clients
• Serves Service Organizations – SOC 1, SOC 2, and SOC 3
pre-assessment services and examinations
• Performs external Peer Reviews
6. Introduction
Josh Bantz, CPA
• Senior Manager and Service Organization Controls (SOC)
Key Member
• Serves Real Estate and Nonprofit Clients
• Serves Service Organizations – SOC 1, SOC 2, and SOC 3
pre-assessment services and examinations
7. Introduction
Samuel BowerCraft, MSIS, CISA
• Senior Manager in the Internal Audit and Management
Consulting Group
• Security consulting related to financial data, information
systems, and assets
• Experience with strategic oversight and planning;
management; operations and installation of technical
infrastructure; software; and systems
• M.S., Information Systems
• Certified Information Systems Auditor (CISA)
8. Webinar Objectives
• Overview of SOC 2 and SOC 3 and Trust Services Criteria
• Introduction to the new 2017 Trust Services Criteria
• Mapping the 2016 Criteria to the 2017 Criteria
• Successful techniques to transition SOC 2 and SOC 3 Controls to the
2017 Trust Services Criteria
• Navigating challenges in implementing the 2017 Trust Services
Criteria
9. SOC 2 and SOC 3 and
Trust Services Criteria
Overview
10. Service Organization Controls (SOC) 2
Examinations
• SOC 2 Examinations are:
• A way of communicating information about controls at a service organization to the
users of that service organization
• Focused on non financial reporting controls
• SOC 2 service organization controls must meet the specified Trust Services
Principles defined by the AICPA
• Security, Availability, Processing Integrity, Confidentiality and Privacy
• SOC 2 reports are restricted to knowledgeable parties, including users of the
service organization and their auditors, and prospective users.
11. Service Organization Controls (SOC) 3
Examination
• SOC 3 was established as a general use report alternative to the SOC 2 Report
• SOC 3 examinations are examinations on controls relevant to the applicable Trust
Services Criteria
• The report includes only the auditor’s opinion and limited description of controls
(narrative)
• SOC 3 is a general use report (no limitations on distribution)
• SOC 3 examination covers both design and operating effectiveness of controls
relevant to applicable Trust Services Criteria
13. Background on the Update to the
Trust Services Criteria
• Significant re-write from the 2016 Trust Services Principles and Criteria
• Aligns with the 2013 COSO Internal Control Framework
• Better addresses cybersecurity risks
• Greater flexibility
• Adds Points of Focus to all criteria
• Additional detail on the criteria to aid implementation
• Depending on environment, not all points of focus need met
• The Points of Focus are not required to be included in the report and an
assessment of whether each point has been addressed is not required
14. Timeline for transitioning to 2017 TSP
• December 15, 2018 - all reports issued after this date must use the
2017 Trust Services Criteria
• Currently either set of criteria can be used for SOC 2 and SOC 3
reporting
• The SOC 2 or SOC 3 report must specify which criteria were used
(i.e. 2016 or 2017)
15. 2017 Trust Services Criteria
• Organized into 5 Main categories similar to COSO
• Control Environment (Common Criteria 1 series)
• Communication and Information (Common Criteria 2 series)
• Risk Assessment (Common Criteria 3 series)
• Monitoring Activities (Common Criteria 4 series)
• Control Activities (Common Criteria 5 series)
• 17 COSO principles included in the 5 categories
16. 2017 Trust Services Criteria
• Additional categories to cover IT and cybersecurity
• Logical and physical access (CC6 series)
• System operations (CC7 series)
• Change Management (CC8 series)
• Risk Mitigation (CC9 series)
• Renames Trust Services Principles and Criteria (TSP) to Trust Services
Criteria (TSC)
• Avoids confusion with 17 COSO principles
17. Transitioning to the 2017 Trust
Services Criteria
Mapping Controls to from the 2016 Trust Services
Principles to the 2017 Trust Services Criteria
18. Mapping from 2016 TSP to 2017 TSC
• Step 1 – Map Identified Controls to New Criteria / Gap Assessment
• AICPA released a spreadsheet mapping the 2016 Principles to the 2017
Criteria
• Includes Common Criteria and Additional Criteria for Availability, Confidentiality,
Processing Integrity and Privacy
• The document provides comprehensive mapping from the 2016 Trust Services Principles
to the 2017 Trust Services Criteria
• The spreadsheet provides service organization with a valuable tool to map their controls
under the 2016 Trust Services Principles to the 2017 Trust Services Criteria and should be
the first step in the transition process
21. Techniques to transition to 2017 TSC
• Service Organizations should start the process by completing the
mapping prior to start of reporting period
• Complete mapping of current controls to 2017 TSC using AICPA Tool
• Complete gap assessment –
• Evaluate the language within the new criteria and determine whether the
organizations current controls successfully meet the TSC objectives.
• Evaluate the current controls against the Points of Focus for each of the new
Trust Services Criteria
• Reminder: no requirement to meet or address every Point of Focus
• The Points of Focus are a tool for evaluating current controls against the TSC.
22. Techniques to transition to 2017 TSC
• Allow sufficient time to plan for any required changes and to design
and implement new controls
• Pay attention to reporting period, ensure new controls are implemented
timely and are properly documented
• Reach out to SOC auditor with any questions or concerns
23. Sample Mapping
• New 2017 TSC Criteria 1.1: The entity demonstrates a commitment to
integrity and ethical values.
- Maps to -
• Previous 2016 TSC CC1.4 - The entity has established workforce
conduct standards, implemented workforce candidate background
screening procedures, and conducts enforcement procedures to
enable it to meet its commitments and system requirements as they
relate to security.
24. Sample Mapping
• Points of Focus related to Criteria 1.1
• Sets the Tone at the Top—The board of directors and management, at all
levels, demonstrate through their directives, actions, and behavior the
importance of integrity and ethical values to support the functioning of the
system of internal control.
• Establishes Standards of Conduct—The expectations of the board of directors
and senior management concerning integrity and ethical values are defined in
the entity’s standards of conduct and understood at all levels of the entity
and by outsourced service providers and business partners.
25. Sample Mapping
• Points of Focus related to Criteria 1.1 cont’d
• Evaluates Adherence to Standards of Conduct—Processes are in place to
evaluate the performance of individuals and teams against the entity’s
expected standards of conduct.
• Addresses Deviations in a Timely Manner—Deviations from the entity’s
expected standards of conduct are identified and remedied in a timely and
consistent manner.
• Considers Contractors and Vendor Employees in Demonstrating Its
Commitment—Management and the board of directors consider the use of
contractors and vendor employees in its processes for establishing standards
of conduct, evaluating adherence to those standards, and addressing
deviations in a timely manner.
27. Challenges Implementing the 2017 TSC
• 17 COSO principles don’t directly map to the 2016 Trust Services
Principles and Criteria
• Service organizations will need to assess whether their controls meet
all of the 17 internal control principles
• Service organizations may need to restructure their internal controls
to comply with the 2017 Trust Services Criteria – this requires TIME
• Any new/updated controls need to be in place for entire reporting
period
28. Challenges Implementing the 2017 TSC (cont’d)
• Service organizations might be required to implement new processes
and activities to meet the 2017 TSC
• Policies and Procedures may need to be written/updated and
implemented prior to the start of the reporting period.
• Documentation of new processes and controls will need to be
established to provide sufficient evidence to test the operating
effectiveness of the controls.