The AICPA Trust Services Criteria. It’s what drives SOC 2 reports. That is because they were designed by the AICPA for use in attestation or consulting engagements. They are the primary means that you and your CPA use to measure and report on your controls for the trust service categories. You have probably heard of those categories: Security, Availability, Processing Integrity, Confidentiality, Privacy. In this post, we’re going to dive into the details of the criteria including the why, how they are used, and what they mean for SOC 2.
Want to know more about the flow down and differences between categories and criteria before you dive in here? Check out this our SOC 2 information flow down article.
The trust services criteria (“TSC”) were developed by the AICPA as a means to measure the suitability of the design and operational effectiveness of controls relevant to how a system handles security, availability, or processing integrity of its information. The criteria cover how that system handles the privacy or confidentiality of that information as well. These criteria (and trust service categories) are what SOC 2 primarily is focused on.
The TSC were designed considering the risks that threaten a company’s ability to meet its objectives for the internal control system. A company will address these risks through suitably designed controls that, if operating effectively, will help achieve the entity’s objectives. The risks that were identified by the AICPA included:
The nature of a company’s operations and the environment in which it operates
The types of information generated, used, or stored by the company
The types of commitments made to customers and third parties
Responsibilities entailed in operating and maintaining systems and processes
The technologies, connection types, and delivery channels used
The use of third parties (such as service providers and suppliers), who have access to the system, to provide the company with controls that are necessary, along with company controls, to achieve objectives
System changes including: Operations and related controls, Processing volume, Key management personnel, Legal and regulatory requirements, Introduction of new services, products, or technologies
The TSC is organized in a way that aligns with those risks shown above. First, we begin with the “common criteria”. These are applicable to any of the trust service categories. The common criteria were derived from the COSO 2013 framework and specifically address:
The control environment (CC 1 series)
Communication and information (CC 2 series)
Risk assessment (CC 3 series)
Monitoring of controls (CC 4 series)
Control activities related to the design and implementation of controls (CC 5 series)
There are also supplemental criteria for any trust services engagement (think security). Those include:
Logical and physical access (CC 6 series)
System operations (CC 7 series)
Change management (CC 8 series)
Risk mitigation (CC 9 series)
For pretty much every SOC 2, you will have the CC 1 through CC 9 series included. When you add the other categories (availability, etc.) you have to add supplemental criteria that are specific to that category.
Availability (A series)
Confidentiality (C series)
Processing integrity (PI series)
Privacy (P series)
Each series above has a prescribed number of criteria that are intended to meet the objectives of the criteria (for example, objectives related to change management [CC 8]). That CC 8 series has only one criterion associated with it. That criterion for CC8.1, along with the criteria for any of the categories you have in scope, won’t change in your SOC 2. Some of the criteria could be N/A for your company (for example, as a cloud provider, maybe you don’t handle physical controls in CC6.4) but you would still show the criteria (like CC6.4), and explain why it’s N/A to you.
For each of the criteria, you then would show your control(s) that help meet that criterion. There is no prescribed number of controls, or control wording on how to meet criteria. This is because SOC 2 is not a compliance framework, but a reporting framework. Your controls may be worded differently than other organizations. Or maybe you have 3 controls to meet a specific criterion whereas a similar organization has 5. As long as you are meeting the criteria with your 3, that’s OK.
When the AICPA published the Trust Services Criteria, they adopted the COSO idea of having points of focus that relate to each of the criteria. They define it as, “important characteristics of the criteria.” The way to think about these is that they are meant as a “guide” for meeting criteria. They are not required, you don’t have to have controls that match their verbiage, and you likely won’t need controls that relate to every point of focus in order to meet criteria.
If you are building your control environment, and getting ready for SOC 2 however, the points of focus can be great to use as an idea for controls and wording, as well as understanding what auditors and the AICPA are looking for when meeting criteria.
The best way to understand the criteria is to read what they are from the AICPA. The criteria listing starts on page 13. Read each one and think of what your company does to meet that criterion. Use the points of focus as a guide to further understand what the criteria are looking for as well. Here is a snapshot of how to read that document:
The trust services criteria are a very important aspect of SOC 2 and are critical to successfully prepare for and navigate through the SOC 2 process. They are also critical in having a “clean” SOC 2. If you fail to meet the criteria, which in turn means you fail to meet your objectives, then you may get a qualified opinion from your CPA in your SOC 2 report. Make sure you take the time to understand the trust service criteria before pursuing SOC 2!