SOC 2 Maintenance or Overhaul?

September 9, 2013 Ryan Buckner

Belonging to the school of thought that new cars are for the birds, I have nearly 250,000 miles on my 14 year old SUV. In some ways, it’s a point of pride, but I must admit that the engine doesn’t purr quite like it once did.With each tire rotation, brake replacement, or can of fuel booster, I wonder if it would be best to break down and finally get a new vehicle. In fairness to my vehicle, my demands have changed over the years. I have asked the vehicle to perform in ways that it wasn’t necessarily designed for, or at least not designed to do very well. Certainly the list of reasons to replace the vehicle has grown long over time, and while I am adept at “patching” the problems, I know that the only solution is to replace the vehicle. As a SOC 2 / 3 expert, I believe this same analogy applies to the AICPA’s Trust Service Principles and Criteria (TSPC).

The AICPA must agree given its ASEC Trust Information Integrity Task Force issued an exposure draft containing updates to the Trust Service Principles and Criteria (TSPC) for public comment earlier this month. Those familiar with SysTrust reporting, or the relatively recently branded SOC 2 and SOC 3 reports, already know that the TSPC are a critical portion of the subject matter for those reports. The TSPC have been around for quite some time and were last revised in 2009. If the last revisions were “patches”, the proposed 2013 changes are a complete engine overhaul. The direction of the proposed TSPC appears to include long overdue and important steps towards eliminating the redundancy and inefficiencies of the current TSPC.

The direction of the proposed TSPC appears to include long overdue and important steps towards eliminating the redundancy and inefficiencies of the current TSPC.

Those of us that have performed many SOC 2 engagements already know that the redundancy and inefficiency built into each principle criteria set can be maddening. The growing popularity of SOC 2 reporting has exacerbated the issue and increased the related workload in ways the prior CICA/AICPA Trust reporting (i.e. SysTrust and WebTrust) never did. In fact, some believe that the current TSPC is now being used in ways it was never even designed for, hence the relatively quick update following the roll out of the SOC 2 reporting concepts. Nonetheless, its issues have become the equivalent of the proverbial mysterious clunking noise in the car that seems to be getting louder with each passing day.

These issues compound with each additional trust services principle included in the scope of an examination. Some CPA firms attempt to patch the issues by decoupling the redundant criteria from their parent principles and reassembling them into their own set of common criteria. Although creative, this approach is not appropriate under current SOC 2 reporting guidelines. Reporting in a format that is highly redundant and not user friendly is the only option.

It appears that the introduction of “common criteria” concept in the exposure draft will be an important step to removing the unwanted redundancy. This should also promote acceptance by both audiences in significant ways. Somewhat ironically, we may find that the market has grown accustomed to the current TSPC reporting methods, much like my fondness for my old car. The thought of change will take some getting used to and there may be an adjustment period with revised criteria. Care will have to be taken to ensure changes to the TSPC; however much needed, do not radically change the controls necessary to meet the criteria.

BrightLine has already completed approximately 100 SOC 2 examinations and the update to the TSPC has a major impact on our practitioners. BrightLine is eager to participate in the public commenting process, and provide feedback on the proposed changes. In the meantime, my peek under the hood shows that the proposed revisions were thoughtfully considered and should be a step in the right direction. Of course, we won’t know until we formally test drive the TSPC in a multi-principle SOC 2, but this certainly has the hallmarks of a major overhaul and not just scheduled maintenance.

About the Author

Ryan Buckner

Ryan Buckner is a Principal at Schellman & Company. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Article
Microsoft Uses SOC 2 To Demonstrate CSA CCM Compliance
Microsoft Uses SOC 2 To Demonstrate CSA CCM Compliance

Via Data Center Knowledge SOC 2 reporting is still in its infancy stages. However, since its introduction i...

Next Article
Choosing the Correct SOC 2 Principles
Choosing the Correct SOC 2 Principles