In October of 2022, the American Institute of Certified Public Accountants (AICPA) released an updated SOC 2 guide that includes critical changes to the popular framework. According to the AICPA, a portion of these changes are focused on providing better support for the application of the five trust services criteria (TSC) that may be applied during a SOC 2 audit—security (required), availability, confidentiality, processing integrity, and privacy.
The AICPA established the five TSCs in 2017 to create a process for issuing SOC 2 reports to organizations that complete a successful SOC 2 audit. Each criteria comes with its own set of unique objectives and a certain number of points of focus, which are examples of how organizations can design and implement their control environments. For instance, the availability TSC includes three points of focus while the privacy TSC includes eight additional points of focus.
The TSC points of focus are not requirements but act more like guidelines to help you better understand what you can do to meet each criteria. They’re also a good resource for understanding how an auditor will think about each TSC when evaluating and testing your organization’s controls.
While the 2022 SOC 2 revisions, overall, provide clarity on recent and emerging industry topics, one of the most significant changes is adjustments to the security TSC points of focus Let’s take a look at the specific security TSC objectives and the AICPA changes to its points of focus so you can confidently go into your SOC 2 audits under the new revisions.
Unlike the TSC categories of availability, confidentiality, processing integrity, and privacy, the security TSC is required for all SOC 2 reports. The objective of the security TSC is to ensure that information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems.
There are a total of nine security points of focus organizations should adhere to in order to meet the security criteria, including:
Organizations should implement at least two to three controls to support each point of focus for the security TSC. That way, if one control fails, the additional control activities still support the criteria and will not result in a qualified opinion.
Overall, the changes to the SOC 2 points of focus are minimal. If your organization has already identified and mitigated your primary risks, many of the affected controls will already be in place. The adjusted points of focus should only result in new or revised controls if you and your auditor determine that your existing controls do not adequately address the criteria. Additionally, organizations who’ve completed past versions of a SOC 2 audit are not required to update to the new version.
The AICPA states that “The changes to the points of focus in the 2022 revisions do not, in any way, alter the criteria in the 2017 TSC. Such criteria continue to be suitable criteria for use when evaluating controls in any trust services engagement.”
Below is a breakdown of the security TSC points of focus revisions. Let’s dive in.
The revisions provide additional clarity on information relevant to internal control systems, such as:
The revisions provide additional guidance on managing and identifying threats to data recovery, creating more effective mitigation strategies, and better aligning with other privacy best practices.
The revisions of the risk assessment points of focus outline a more detailed approach to evaluating risks by defining the components of a risk assessment as identifying threats and vulnerabilities and evaluating the likelihood and impact of a threat intersecting with a vulnerability.
Updated points of focus for logical and physical access encourage program participants to evaluate all logical access controls across an organization, including:
The revisions for system operations and monitoring encourage organizations to consider activities performed by the first and second lines of defense in addition to internal audit functions and other IT assessments historically identified in SOC 2 reports.
Previously, identification, testing, and implementation of software patches and resilience requirements were not included in the change management category, and these have been added as points of focus to provide more clarity.
The updated points of focus for risk mitigation provide guidance on residual risks that remain after internal controls are in place and management has evaluated whether to accept, reduce, or share risks.
The good news is, not much! The changes outlined above are updated guidance for organizations and auditors alike. For many, the revisions will have a small impact on audit engagements. Your BARR auditor may ask you to tailor existing controls to cover these changes or provide revised evidence. In other cases, we might determine that new controls are needed to address the revised points of focus.
Either way, BARR is here to help guide you through the process. Organizations operating on the previous version of SOC 2 are not required to update to the new version. However, these revised points of focus have been added to the existing requirements and will be implemented for organizations who would like to adhere or update to the newest version of SOC 2.
Contact us today for more information on BARR’s attest services and how we can help your organization achieve a successful SOC 2 report.