As we settle into 2018, companies currently subject to SOC 2 examinations – and those who plan to be during the year – should keep an eye toward the significant reconfiguration of these examinations set to become effective this coming December. Included in the changes, the AICPA has largely scrapped the Trust Services Principles (TSP) that have become familiar over the past several years in favor of a set of Trust Services Criteria (TSC) which encompass the 17 principles of the COSO framework.
For companies currently undergoing SOC 2 examinations, it is imperative that you discuss the changes with your current SOC auditor to make sure you have the newly required controls firmly in place by the end of the year. The AICPA has released a mapping document to highlight the changes between the old and new standards.
For those companies interested in adding SOC 2 to their compliance arsenal in 2018, we recommend foregoing the option of using of the extant 2016 TSP for any gap assessment, Type 1 or Type 2 reporting, even though the extant standard would still be acceptable in the short term (prior to December 2018). Lastly, make sure your scoping and planning discussions take into account the sweeping changes under the new standard.
Lurie’s technology consulting team is already rolling up its sleeves to prepare existing clients for the changes and to help companies interested in adopting SOC 2 make sense of the new landscape. If you have questions, we would love to discuss your specific situation.