What Service Organizations Need to Know About SOC 2 & 3 Reports Changes

If your organization provides services to other businesses, recent changes to the Service Organization Controls (SOC) reports should make your life a little easier.  The American Institute of Certified Public Accountants (AICPA) recently issued an update to the Trust Services Principles for SOC reports to eliminate redundancies and better organize the criteria. The changes will go into effect later this year and greatly facilitate the audit process for service organizations.

The SOC report changes were a hot topic at this year’s ISACA WOW conference, which brought together technology, audit, control and security professionals to discuss the latest developments in information security and risk management.

SOC reports are important because they allow service organizations to demonstrate to their stakeholders, clients and prospective clients that they have the right controls in place to protect clients’ data. Depending on the size of your business and clients, you may have received requests for a SOC report directly from your clients or from your client’s external auditors. If you haven’t been receiving these requests, be assured that as your company and client base grows, so will the amount of requests pouring in for a SOC report.

SOC 2 & 3 reports provide assurance over the controls related to the five trust principles: security, availability, processing integrity, confidentiality and privacy. Your clients want to know that their vendors have effective controls in place surrounding the trust principles, ensuring their data is safe.

What’s changing in the SOC reports?

The most important change coming to the SOC 2 &3 reports is that the trust service principles have been restructured. In the past, the trust principles all maintained standalone criteria. Going forward, four of the five trust principles (the privacy principle is the only exception) will have common criteria that comprehensively address all of the principles and fewer standalone criteria that are relevant to only a single trust principle.

The common criteria fall into seven categories:

• Organization and management
• Communications
• Risk management and design and implementation of controls
• Monitoring of controls
• Logical and physical access controls
• System operations
• Change management

What’s the reason for these changes?

Redundancies in the current structure have created some areas of uncertainty for independent auditors in testing certain criteria for each trust principle. This can lead to inefficiencies both in the design and in the execution of the audit plan, as well as some difficulty in communicating the procedures with the service organization.

How will these changes affect you as a service provider?

The changes to the SOC 2 & 3 reports will benefit service organizations in two ways:

1. The audit process will be easier to understand. External auditors will be able to more effectively communicate the procedures to be performed and explain what the objectives of those procedures will be. Although this was done in the past, the clarification and consolidation of the trust principle criteria will allow this to be communicated with greater ease.
2. The audit process will become more efficient. The auditor should be making fewer requests of your team, reducing the time and effort on your end and making the experience less painful.

The changes to the Trust Services Principles and Criteria will take effect for reporting periods ending on or after December 15^th, 2014. Only time and experience will tell what the extent of the impact of the changes will be, but it seems apparent that the AICPA is making an effort to streamline and clarify the criteria tested by independent auditors, which will ultimately make the process easier for service organizations.

To learn more about how these SOC report changes affect your organization, contact me or another member of Kaufman Rossin’s risk advisory services team.