In the following podcast interview, Anthony DiGiulian, a Senior Manager with SC&H Group, discusses the AICPA’s recently updated edition of the SOC 2 Trust Services Principles (TSP) Guidance.
In today’s digital economy, service organizations that host, manage, or transport data for customers need to continually illustrate effective controls, and require independent assurances that they are managing this information securely.
However, due to multiple regulatory requirements, providing these assurances to multiple customers can be overwhelming.
To help tackle these challenges, the American Institute of CPAs (AICPA) released an updated edition of the SOC 2 Trust Services Principles, Criteria, and Illustrations, effective for periods on or after December 15, 2014.
The updated edition provides two primary changes:
- Introduction of Common Criteria to eliminate redundancy across multiple Trust Principles and related control criteria
- Additional guidance regarding requirements for a detailed risk assessment to be performed by management
Developed by the AICPA to test and report on the design and operating effectiveness of non-financial controls for IT-enabled systems, the five Trust Services Principles are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The updated SOC 2 Trust Services Principles help service organizations to report on multiple principles more efficiently and effectively across Common Criteria as it relates to their system. Prior to the update, organizations had to report on each Trust Services Principle individually on each criterion.
Under the updated risk assessment requirements, service organizations are now responsible for performing and periodically updating a detailed risk assessment, which specifically addresses risks related to each criterion contained within the trust principles being evaluated.
By being proactive and building a controls environment to meet the new AICPA requirements upfront, it is possible to both reduce costs and increase your competitive edge.
Do you know if your organization is ready for a SOC 2 Security Audit? To determine your audit-readiness, we recommend taking this simple online assessment.
To learn more about SC&H Group’s audit expertise with SOC/SSAE 16 reporting frameworks, click here. In addition, if you have any questions about the updated SOC 2 Trust Services Principles Guidance, we welcome you to contact Anthony here.