Compliance Crowe

What You Need to Know About the New SOC 2 Reporting Requirements

Sponsored by Crowe

The AICPA released newly applicable guidance on System and Organization Controls (SOC) reports. Organizations that issue or receive SOC 2 reports must understand what these new requirements mean and how to make the transition to the new requirements.

©fizkes/iStock/Getty Images Plus

Peace of mind about security is vital for organizations, and System and Organization Controls (SOC) reports are a critical part of vendor risk management programs. Organizations that issue SOC 2 reports to current and prospective customers, as well as those that receive SOC 2 reports from vendors, will need to familiarize themselves with the newly applicable American Institute of Certified Public Accountants (AICPA) guidance.

As more organizations outsource critical business and information technology functions to third parties, they rely heavily on SOC reports as a critical component of their vendor risk management programs. SOC reports are a valuable tool to communicate the internal controls of a service provider and to provide assurance over control effectiveness through an independent examination by a CPA firm.

While SOC 1 reports specifically are intended to address internal controls over financial reporting, SOC 2 reports are applicable to any service provider responsible for internal controls over customer systems or data.

During the past 18 months, the AICPA released updated guidance over two critical components of SOC 2 reporting. Both sets of criteria must be addressed for SOC 2 reports with a reporting period ending Dec. 16, 2018, or later:

  • The trust services criteria (TSC) framework, used as the basis to evaluate service providers’ controls
  • The description criteria (DC), which require certain content to be included in a SOC 2 description of a service organization’s system

Trust services criteria updates

The structure and criteria language of the TSC framework have been significantly updated, as the criteria have been realigned to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 “Internal Control – Integrated Framework.” However, service organizations still may choose from five reporting options:

  • The common criteria, which includes security (required for all SOC 2s)
  • Availability
  • Confidentiality
  • Processing integrity
  • Privacy

The four optional categories have minimal changes to their control criteria, and, for the most part, organizations can continue to employ their existing control activities to address those criteria.

Several changes have been made to the common criteria and affect all service organizations that issue a SOC 2 report. Most significantly, more prescriptive control requirements relate to two areas: risk management and incident response. As a result, service organizations are now pushed toward more standardized, robust, and mature processes – to the benefit of their customers.

Description criteria changes

The primary change made to the DC is a new requirement that a service organization specify its principal service commitments made to its customers related to the selected SOC 2 reporting categories. This new requirement helps SOC 2 report users understand the specific objectives that the service organization’s controls should be designed to achieve – for example, what security or processing integrity means in the context of the provided services and responsibilities of the service organization. The description of principal service commitments enables
SOC 2 report users to better evaluate whether the service organization has implemented the right controls.

Transitioning to the new requirements

User organizations should review future reports to verify that principal service commitments are adequately described and that the service organizations’ controls sufficiently address the new TSC.

Service organizations that issue SOC 2 reports should perform a comprehensive review of the new TSC framework and begin mapping their existing SOC 2 controls to identify potential gaps. Any control remediation then can be prioritized based on complexity, level of effort, and the timing of when the control has to be in place relative to the service organizations’ SOC examination period. In addition, to address the new DC, service organizations should review customer-facing documentation such as contracts and user manuals to identify where relevant service commitments have been communicated and develop additional content for their SOC 2 descriptions.


Access a recording of the recent Crowe webinar “Taking Control: Understanding the New SOC 2 Requirements" here.