What's New with SOC 2? How AICPA Updates Will Affect Auditors & Service Organizations
SOC 2 has become the gold standard for companies to prove their commitment to their customers, including how they protect their customer’s data and make their services reliable, resilient, and consistent.
The American Institute of Certified Public Accountants (AICPA) developed a set of guidelines for the contents of a SOC 2 report, which is based on several important documents, including the TSP 100 and DC 200. CPAs or certified accounting firms use these SOC 2 guideline documents to attest to a company’s compliance and security practices.
In October 2022, the AICPA released revised versions of both of these documents. Below we’ll provide a high-level overview of these differences and what they mean for auditors and for service organizations.
What’s changing with TSP 100?
The SOC 2 framework is built around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. The criteria in each category are defined by the AICPA in the TSP 100.
The TSP 100 includes points of focus, which serve as implementation guidance for each criteria. Take the following criteria for example: “The entity demonstrates a commitment to integrity and ethical values.” For both organizations that have to demonstrate that and auditors that have to audit for it, the TSP 100 document essentially provides suggestions for what an organization can do to meet that requirement. These include establishing standards of conduct and considering contractors and vendor employees when establishing and evaluating adherence to those standards.
In the most recent update, the AICPA has issued revised points of focus for several of the criteria within TSP 100, with the majority of the updates focusing on the privacy and confidentiality categories. Several other updates were added to help clarify the application of existing criteria to new technologies and evolving risks.
For example, the CC7.4 is about responding to identified security incidents. The revision includes additional points of focus for organizations using both security and privacy as Trust Services Criteria, including the application of breach response procedures when a privacy incident is confirmed.
It’s important to note that no new Trust Services Criteria were added, or even changed. The revisions are simply giving organizations and auditors new ways to think about the criteria in light of the current landscape.
What’s changing with DC 200?
Each SOC 2 report contains four sections, with an optional fifth. The biggest section of the SOC 2 report is the description of the service organization’s system. This includes everything from an overview of the company — who they are, what they do, and what technology they use — to a description of all of the controls that they have implemented with respect to the Trust Services Criteria categories included in the report. The guidelines for what goes into that section, known as description criteria, are detailed in the DC 200.
The AICPA issued clarifications for the implementation guidance for these description criteria. The clarifications were minor and mostly focused on providing more examples.
For example, DC4 is about an entity needing to disclose the nature, timing, extent, and disposition of any significant system incidents identified during the period covered by the SOC 2 report. The 2022 revised implementation guidance includes more examples that may help an auditor or organization determine whether an incident should be disclosed — like if it resulted in the theft, alteration, or unauthorized use of sensitive information.
It’s important to note that no description criteria were changed or added.
What do these changes mean for auditors?
Both the TSP 100 and DC 200 are designed to provide guidance to auditors on how to evaluate a company’s system of controls while performing a SOC 2 audit, and how to evaluate whether the system description in the SOC 2 report is presented sufficiently to meet the needs of users of the report.
Auditors should read through both revised documents carefully to ensure they are properly evaluating an organization’s security posture and writing a SOC 2 report.
What do these changes mean for service organizations?
That depends if you’re using Secureframe’s compliance automation platform.
If your organization is preparing for a SOC 2 audit without an automation platform, you should familiarize yourself with the TSP 100 Revised Points of Focus to ensure your controls satisfy requirements for each Trust Services Criteria, especially around privacy and confidentiality.
However, if you’re using Secureframe’s compliance automation platform, our compliance experts continually consider updates like these when building out tests in our platform, and where needed, highlight suggested changes. That means you don’t have to sift through the piles of updates on your own to determine what they mean for you and your organization.
Recommended reading
Understanding SOC 2 Compliance Requirements
How Secureframe simplifies SOC 2 compliance
While maintaining an updated system of controls is ultimately the responsibility of your own organization, partnering with Secureframe simplifies and streamlines the process.
We save teams hundreds of hours and thousands of dollars spent writing security policies, collecting evidence, hiring security consultants, and performing readiness assessments. And because Secureframe continuously monitors your infrastructure and alerts you of vulnerabilities, you’ll get your SOC 2 report faster and save money while strengthening your security posture.
Request a demo to learn more about how we can help you get SOC 2 compliant in weeks, not months.