What Changes Are Made To SOC 2? What Role Does COSO 2013 Play?
Keshava Murthy
CEO
August 2023 | 5 mins
Big changes are coming soon to the way SOC 2 audits are conducted.
Effective December 15, 2018, all SOC 2 audits will need to comply with TSP Section 100—the 2017 Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
Currently, organizations can specify whether they are using 2016 or 2017 SOC 2 reporting criteria, but come December 15, all reports will have to be issued using the 2017 Trust Services Criteria.
The new SOC 2 audit reports will focus on changes meant to address head-on the current security breach landscape, which appears to be getting worse with each incident.
Many of these changes align with the 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control criteria already in place but feature tighter controls to thwart and mitigate cybersecurity breaches and increase flexibility in the application of controls over areas such as security and privacy.
To be clear, TSP Section 100 is clearly aligned with the 2013 COSO Internal Control–Integrated Framework, which is a recognized assessment of an organization’s effectiveness of internal controls over functions such as financial reporting.
The main principles guiding the 2013 COSO Internal Control–Integrated Framework are comprehensive and are outlined here:
Your organization should demonstrate a commitment to integrity and ethical values.
This starts with the board of directors ensuring oversight over management and performance of internal controls.
Management, in turn, should work closely with the board of directors in pursuit of organizational objectives, which include the commitment to attract, develop, and retain competent staff and hold employees accountable for their internal-control responsibilities.
Your organization must not only identify and assess risks with sufficient clarity but also analyze those risks as a basis for how risks should be managed when they arise.
In other words, have a well-thought-out plan of action.
Your organization should also consider the potential for fraud in assessing risks to ensure the integrity of the process and identify changes, which could significantly affect the system of internal control―a fail-safe measure..
Your institution must select and develop control activities, which contribute to the mitigation of risk to the achievement of your goals to acceptable levels.
Basically, you need to select processes for governing technology, which support your objectives, and you should deploy policies and procedures to establish expected outcomes.
Governments and other related entities rely on information gathering to support their activities.
Your organization is no different when it comes to meeting the new SOC 2 audit requirements.
You will need to obtain and use relevant, quality information to support the functioning of internal control. In addition, it is essential to effectively communicate any information internally and externally―perhaps with third parties―regarding matters, which affect the functioning of internal control.
In other words, all parties must talk to each other.
Compliance is a function of how well you self-monitor your own activities.
Your organization is expected to select, develop, and perform ongoing evaluations of the effectiveness of each component of internal control and its functional efficiency.
If an internal control deficiency is identified, you are expected to communicate your findings to all parties responsible for taking corrective action, including C-suite executives, the board of directors, and other decision makers.
As the cybersecurity landscape evolves, compliance becomes a constantly moving target, which often brings with it confusion over how to remain compliant.
Want to learn more about a SOC 2 audit for your organization? Contact us for a free consultation regarding your audit needs.
A SOC 2 compliance automation platform streamlines the process of achieving and maintaining SOC 2 compliance. It automates the collection of evidence, manage controls, monitor compliance in real-time, and generate reports. This significantly reduces the manual effort and time required, ensuring that policies and procedures are consistently applied and documented, making the audit process more efficient and less resource-intensive. Get rid of hours of work for getting compliant with SOC 2 by using SOC 2 compliance automation platform like OptIQ.
SOC 2 compliance is centered around five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Organizations must establish and follow strict information security policies and procedures, encompassing the security of the information system, data protection measures to prevent unauthorized access, and ensuring system availability as promised. Additionally, the integrity of processing operations, the safeguarding of confidential information, and the management of personal data in line with privacy principles are crucial. Compliance involves regular audits to verify adherence to these criteria.
Companies that handle customer data, particularly those in technology, SaaS, cloud computing, and IT services, require SOC 2 compliance. This includes businesses offering online platforms, software solutions, and any service that processes or stores customer information, aiming to assure clients of their commitment to maintaining high standards of data security and privacy.
