IN MARCH 2016, the American Institute of Certified Public Accountants (AICPA) released updates to the Trust Services Principles (TSP) section 100 criteria used to obtain assurance over outsourced services that are relevant to user entities, but non-financial in nature. The updated criteria take effect for System and Organization Controls (SOC) reports issued on or after December 15, 2016, with early adoption permitted. This update follows revisions previously made to TSP section 100 in 2014.

SOC reports first took effect in 2011 and were introduced by the AICPA as a replacement for the SAS 70 report. Three SOC report categories were introduced. A SOC 1 report pertains to controls relevant to a customer organization’s internal control over financial reporting (ICFR). A SOC 2 report is widely used by auditors to attain assurance for services that do not directly relate to ICFR. The SOC 2 report encompasses the following five trust services principles (TSP):

• Security• Availability• Processing Integrity• Confidentiality• Privacy

A SOC 2 report does not have to address all five TSP and will typically focus on the principles most relevant to the service organization’s customers. A SOC 2 Type 1 report includes a description of the organization’s system, a CPA’s opinion on the fairness of presentation of the description, and suitability of the design to achieve the criteria necessary to fulfill the principles being reported upon.

A SOC 2 Type 2 report includes those items as well as descriptions of tests performed by the auditor and test results to assess the effectiveness of controls during a specified period of time.

The SOC 2 report is generally used for providing the highest level of assurance for non-ICFR concerns. A SOC 3 report also focuses on the five TSP, but is more of a general use report. A SOC 3 report is shorter and less detailed than a SOC 2 report and is shared openly, with a website seal illustrating a service organization’s compliance with SOC 3 requirements.

The multiple updates within recent years reflect technological changes, increased use of service organization offerings (including SaaS and other cloud services), and the corresponding need to attain assurance amid heightened technology-related risk. The restructured Privacy principle in the 2016 TSP section 100 updates emphasizes the importance of properly handling personal information concerns, too.

Updated TSP criteria changes SOC 2 reporting

IT InsightsTSP Criteria Updates

IT Insights: TSP Criteria Updates

Common Criteria Updated for TSPs

IN 2014, THE AICPA RESTRUCTURED the Security, Availability, Processing Integrity and Confidentiality principles, and introduced common criteria for all principles. The common criteria reduce redundancies and needs for cross-checking criteria among various principles. The common criteria categories comprise the Security principle, making a report on the Security principle a report on the common criteria.

A report on Security and Availability, for example, then includes the common criteria as well as criteria unique to the Availability principle. With the 2016 update to TSP section 100, common criteria also apply to the restructured Privacy principle, so a report on the Privacy principle would address common criteria as well criteria unique to the Privacy principle. The common criteria applicable to all five TSP are organized into seven categories:

• Organization and management • Communications • Risk management and design and implementation

of controls• Monitoring of controls• Logical and physical access controls • System operations• Change management

Updates were made in 2016 to the Risk management and design and implementation of controls common criteria (TSP section 100, CC 3.1 and CC 3.3) to clarify when threats may arise from the use of vendors or other

third parties, as well as from customer personnel or others with system access. Other revisions emphasize addressing criteria specific to the principle(s) being reported upon in the engagement.

Privacy Principle Restructured

THE PRIVACY PRINCIPLE WAS REVISED in the 2016 update and supersedes Generally Accepted Privacy Principles (GAPP) guidance from TSP section 100A. The restructured Privacy principle is more concise and alleviates uncertainty as to whether practitioners should follow TSP or GAPP guidance for SOC Privacy reporting purposes. Appendix B of TSP section 100 now includes illustrative risks and controls for the Privacy principle.

The Privacy principle relates to personal information, such as a person’s address, phone number or driver’s license number. The restructured Privacy principle criteria are organized into eight categories:

• Notice: An organization must provide notice of its privacy practices, including purposes for collecting, using, retaining and disclosing personal information.

• Choice and consent: An organization must describe choices and obtain implicit or explicit consent for collecting, using and disclosing personal information.

• Collection: An organization must collect personal information consistent with privacy commitments in accordance with system requirements.

• Use, retention and disposal: An organization must limit use of personal information for which it has obtained consent and only retain that information for as long as it is needed before securely disposing of it.

2

WHAT IS THE DIFFERENCE BETWEEN THE CONFIDENTIALITY PRINCIPLE AND THE PRIVACY PRINCIPLE?

Service organizations may be confused on whether to report on the Confidentiality principle, the Privacy principle, or both. Here’s how to determine which needs to be reported upon in a SOC report:

• THE CONFIDENTIALITY PRINCIPLE applies to business-to-business (B2B) situations in which the service organization is entrusted with safeguarding confidential information for user organizations. While that information may include personal information for user organizations’ individual customers, the Confidentiality principle also encompasses trade secrets, intellectual property and other information deemed confidential by the user organizations.

• THE PRIVACY PRINCIPLE applies to business–to-consumer (B2C) situations in which an organization has a direct relationship with the individual consumers or customers, rather than functioning as a third-party service provider for user organizations. That means if a service organization’s only customers are user organizations, then the user organizations are obligated to address the Privacy principle criteria, rather than the service organization.

Ultimately, the service organization needs to understand the boundaries of their service and who the user of their services is – a business or a consumer. This will enable both the service organization and the service auditor to properly design the audit to focus on the right Trust Services Principles.

IT Insights: TSP Criteria Updates

• Access: An organization must give an individual access to personal information for review and correction.

• Disclosureandnotifications:An organization must disclose personal information only with individual consent and also provide notification of any security breaches or incidents.

• Quality: An organization maintains accurate and complete personal information.

• Monitoring and enforcement: An organization must monitor compliance with its privacy commitments and system requirements.

Unique Criteria Updated for Confidentiality Principle

CRITERIA UNIQUE to the Confidentiality principle (TSP section 100, C1.7 and C1.8) were updated to address the needs for data retention policies that safeguard confidential information, retain such information only as long as it is needed, and then safely dispose of such information. Such policies apply to personal information as well as trade secrets, intellectual property or other information deemed confidential.

Prepare for Updated TSP

THE 2016 TSP SECTION 100 CHANGES criteria service auditors will likely be examining. Service organization customers should expect those changes to be addressed in a SOC 2 or SOC 3 report. Service organizations need to evaluate existing controls and policies now to ensure their practices align with TSP criteria revisions that must be used for any reports after December 15, 2016. Also, service organizations who held off on adopting the Privacy principle because they found the criteria too confusing may now wish to revisit that decision.

3www.weaver.com | 800.332.7952

CONTACT USBrian Thomas, CISA, CISSP, QSA Partner, IT Advisory Servicesbrian.thomas@weaver.com

Neha Patel, CPA, CISA Partner, IT Advisory Servicesneha.patel@weaver.com Weaver’s IT advisory services group focuses on delivering performance-enhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include:

• Application controls review• Business continuity/disaster recovery• Cloud computing assessment• Data analytics• Data privacy• Information security and vulnerability

assessment• ISO27001 reviews• IT audit• IT governance and organizational

effectiveness• IT risk assessment• Pre- and post-implementation

application reviews• System and Organization Controls

(SOC) reporting

Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances.

© Copyright 2016, Weaver and Tidwell, L.L.P.