Principles related to the testing of controls at Service Organizations have been updated. Examples of Service Organizations include entities providing technology services and/or information processing services. The Trust Principles relate to the service organization controls that are non-financial and would typically be reported in a Service Organization Control report (SOC 2). A SOC 2 report can include one or more of the five Trust Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.
Why the Update?
On July 30, 2013, the AICPA released an Exposure Draft for Trust Services Principles and Criteria. Continued evolution of technology and SOC reporting has led to streamlining the controls, particularly those related to security. The Exposure Draft (comments are requested by September 30, 2013) contains changes which should prove beneficial to service organizations as well as practitioners.
The Trust Principles were streamlined into 28 common criteria for the Security Principle.
- Organization and Management (4)
- Communications (6)
- Risk Management and Design and Implementation of Controls (3)
- Monitoring of Controls (1)
- Logical and Physical Access Controls (8)
- System Operations (2)
- Change Management (4)
Additional criteria are defined for those entities wishing an independent opinion on other Trust Principles:
- Common criteria for Availability (3)
- Common criteria for Processing Integrity (6)
- Common criteria for Confidentiality (6)
The Privacy Principle, its Generally Accepted Privacy Principles (GAPP) and ten supporting sub-principles, are not part of this exposure draft.
What hasn't changed is the general format of the SOC 2 report: the independent auditor's opinion, Management's Assertion, a System Description and in the case of a Type 2 report, a description of the tests performed by the service auditor and the results of those tests.
Please take a moment, as an entity using a service organization or a service organization, to provide comments to the AICPA on this exposure draft: here.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.