In September 2022, the American Institute of Certified Public Accountants (AICPA) released revised points of focus to the 2017 Trust Service Criteria. According to the AICPA, a portion of these changes are focused on providing better support for the application of the five trust services criteria (TSC) categories that may be applied during a SOC 2 audit—security (required), availability, confidentiality, processing integrity, and privacy.
Each TCS category includes specific criteria along with points of focus, which are important characteristics of that criteria that may assist both management and the practitioner when they are evaluating whether controls were suitably designed and operating effectively to achieve the entity’s objectives based on the scoped TSCs.
The TSC points of focus are not requirements but act more like guidelines to help you better understand what you can do to meet each criteria. They’re also a good resource for understanding how an auditor will think about each TSC when evaluating and testing your organization’s controls.
While the 2022 SOC 2 points of focus revisions, overall, provide clarity on recent and emerging industry topics.
Overall, the changes to the SOC 2 points of focus are minimal.The AICPA states that “The changes to the points of focus in the 2022 revisions do not, in any way, alter the criteria in the 2017 TSC. Such criteria continue to be suitable criteria for use when evaluating controls in any trust services engagement.”
Below is a breakdown of the security TSC points of focus revisions. Let’s dive in.
CC1: Control Environments
The revisions provide additional clarity on governance, including:
Establishing reporting lines and structures (CC1.3)
Disciplinary actions and sanctions (CC1.5)
CC2: Communication and Information
The revisions to the points of focus for CC2.1, 2.2, and 2.3 provide additional guidance on information relevant to internal control systems, such as:
Asset inventory and location
How to classify information
Clarity on data flow
Complete and accurate information
Information and incident communication
CC3: Risk Assessments
The revisions of the risk assessment ‘points of focus’ outline a more detailed approach to evaluating risks by defining the components of a risk assessment as identifying threats and vulnerabilities and evaluating the likelihood and impact of a threat intersecting with a vulnerability. (CC3.2 and CC 3.4)
CC4: Monitoring Activities
The revisions of the monitoring points of focus details additional guidance regarding ongoing and separate evaluations. (CC4.1)
CC5: Control Activities
There were no revisions to points of focus.
CC6: Logical and Physical Access Controls
Updated points of focus for logical and physical access (CC6.1 – 6.8) encourage program participants to evaluate all logical access controls across an organization, including:
CC7: System Operations
The revisions for system operations encourage organizations to consider the impact, use, and disclosure of confidential information (CC7.3).
CC8: Change Management
Points of focus revisions to CC8.1 include identification, testing, and implementation of software patches and system resiliency considerations.
CC9: Risk Mitigation
The updated ‘points of focus’ for CC9.2 provide additional guidance on the assessment and management of risk, such as considering the evaluation of vulnerabilities arising from vendors and business relationships.
The good news is, not much! The changes outlined above are updated guidance for organizations and auditors alike. For many, the revisions will have a small impact on audit engagements.
BARR is here to help guide you through the process. Contact us today for more information on BARR’s attest services and how we can help your organization achieve a successful SOC 2 report.