A Seamless Transition to the New TSP in 3 Steps

April 23, 2014 Ryan Buckner

In January, the AICPA Assurance Services Executive Committee (ASEC) released the revised version of the Trust Services Principles and Criteria (TSP). Since the release, there have been questions on the best way to undertake the transition process to the new TSP. Below are 3 steps that will help your organization apply the changes from the standard, manage the transition effectively, and gain a deeper understanding of leading practices.

1: DETERMINE CUSTOMER EXPECATIONS

Now is a good time to determine and/or reassess customer (report user) expectations regarding the early adoption of the Revised TSP criteria. The revised Trust Services Principles criteria (TSP 100) was published earlier this year, and are effective for reports ending on or after December 15, 2014. As a result, organizations have the option to early adopt the TSP 100; however, early adoption is not a requirement. Additionally, several SOC 2 or SOC 3 stakeholders, including requestors of the report, may not be aware of the revised criteria; and may not therefore, expect the use of revised criteria, particularly if those users have audit plans which map to the previous TSP criteria set (TSP 100A). Organizations undergoing SOC 2 or SOC 3 examinations with report dates ending prior to December 15, 2014, should inquire of their key SOC report stakeholders if the TSP 100A criteria set or the revised TSP 100 criteria set is needed for this transition year. Keep in mind that dual-reporting under both criteria sets are possible, though this is a rare reporting consideration. If you want to consider the dual- reporting option, an experienced SOC 2 and SOC 3 auditing firm can effectively explore this with your organization.

2: READINESS ASSESSMENT

Service organizations undergoing an SOC 2 or SOC 3 examination for the very first time are strongly encouraged to consult with an experienced audit firm to determine if a readiness or preliminary assessment against either criterion set, prior to an actual examination, should be performed. Service organizations that have previously undergone SOC 2 or SOC 3 examinations against TSP 100A, may find particular benefit in having a focused readiness assessment against specific processes that are likely to have the greatest impact from the revised TSP 100. This may include a collaborative effort between your organization and an auditing firm to determine the major components of the control procedures and systems for evaluation against the pertinent criteria, or maybe even a comprehensive assessment against the full set of the TSP 100 criteria. The common criteria (Security Principle) will need to be considered by all service organizations undergoing SOC 2 or SOC 3 since that principle is now the foundation for all SOC 2 and SOC 3 examinations (not including Privacy Principle-only examinations).

3: TIMING

Consider the timing of your examination and if the use of the old criteria are reasonable in the circumstances. Similar to the point above, your organization should consider the expectations of your report stakeholders along with your resource availability for understanding and adjusting for the TSP 100 criteria. Due to the recent issuance of the criteria, the TSP 100 criteria are relatively unknown allowing organizations to continue using the previous TSP criteria set (TSP 100A), while they better understand the impact of the new criteria to their organization and SOC reporting. This is particularly important for organizations committed to providing SOC 2 or SOC 3 reports in the near-term and a readiness assessment against TSP 100 cannot be effectively performed in the interim period.

Right now is the perfect time to take advantage of the 2014 transition period.
The beauty of this transition year is that it affords many organizations the opportunity to proceed with the TSP 100A criteria and slowly adjust to the TSP 100 criteria set for 2015 and beyond. Several of our customers are already benefiting from our dual assessment approach whereby BrightLine engagement teams perform the 2014 SOC 2 or SOC 3 examinations concurrent with a readiness assessment against the TSP 100 criteria set for their subsequent examination in 2015. This allows organization to effectively leverage existing projects for greater audit efficiency.

About the Author

Ryan Buckner

Ryan Buckner is a Principal at Schellman & Company. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Article
Schellman to Speak During the 2014 ISACA Silicon Valley Spring Conference
Schellman to Speak During the 2014 ISACA Silicon Valley Spring Conference

Next Article
PCI: What Are The Benefits of a PCI Assessment?
PCI: What Are The Benefits of a PCI Assessment?

What Are The Benefits of a PCI Assessment?  

×

First Name
!
Success
Error - something went wrong!