If your clients rely on your company to store or manage applications or data you may now, or in the future, be required to provide those clients with assurance over the effectiveness of your internal controls relating to data security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Principles).
This assurance is usually provided to clients through the issuance of what is referred to as a SOC 2 or SOC 3 audit report.
Important changes came into effect on December 15, 2018 that require all SOC 2 and SOC 3 audit reports issued after that date to conform to updated 2017 Trust Services Criteria.
What’s the impact?
These changes will impact companies that are already conducting SOC 2 and SOC 3 audits for the benefit of their clients, as well as those that are poised to begin such audits. This is largely because the 2017 Trust Services Criteria feature much tighter control objectives surrounding cybersecurity, while simultaneously increasing flexibility around security and privacy objectives.
What will the changes entail?
While new Trust Service Criteria will include countless new amendments, some of the more notable changes include:
- Better alignment with the 17 principles of the COSO 2013 internal control framework, with the intention of having the new Trust Service Criteria as a form of companion guidance to the COSO framework with a broader, entity-wide focus;
- Additional criteria to ensure that various cybersecurity and fraud risks are considered, as well as risks specific to vendors and business partners;
- Additional criteria relating to availability, processing integrity, confidentiality and privacy assessment categories;
- Specific assessment criteria to assist management and their auditors in evaluating whether the controls are suitably designed and operating effectively; and
- New disclosure requirements for management (including citing the specific service commitments and system requirements to meet client needs, as well as increased transparency when reporting system incidents to user entities).
How can Grant Thornton help?
Given that these significant changes mean an increase in the number of controls that could be within the scope of the SOC 2 and SOC 3 audit, there may currently be gaps in your existing system of control. We can help you uncover them, and determine which new controls need to be deployed, by conducting a readiness assessment and creating a strategic roadmap to move forward. We can also assist you by updating management’s description of the internal control system and ensuring the appropriate disclosures are made to ensure they are consistently and effectively communicated to all of your clients.
In today’s business environment, everyone wants to work with companies that are committed to reducing risk to data privacy, confidentiality, and the other trust principles.
By taking steps to meet the requirements of the updated 2017 Trust Services Criteria, you’ll not only increase the strength of your systems of control but also those of the clients which rely upon and trust you.
Grant Thornton Business Risk Services specializes in helping businesses navigate all areas of SOC 2 and SOC 3 audits. So, whether you’re conducting one for the first time, or are looking to meet today’s new requirements, we can support you—every step of the way.