What are the SOC 2 Trust Services Criteria?

What are the SOC 2 Trust Services Criteria?

Posted on

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

A Helpful History of SAS 70, SSAE 16, SSAE 18, and the SOC Audit

CPA firms have been providing service organization audit reports for several decades. In the early-90s, these reports took a leap forward when the AICPA issued Statement on Auditing Standards (SAS) No. 70. SAS 70 was the authoritative guidance that provided a mechanism for service providers to retain an auditor to issue a report that provides assurances over their internal controls.

As technology became a prominent fixture of the business world, organizations relying on technology service providers required assurances over the security of those organizations. For example, organizations using a 3rd party data center required assurances over the security at that data center.

As a result, technology focused service organizations and their auditors began using the SAS 70 standard for security-focused service organization audits. The SAS 70 standard, however, lacked a security framework because it was never intended for security audits. This caused SAS 70-based security reports to vary wildly from one organization to the next, which was detrimental to the goal of comparability between the reports of different organizations.

To alleviate these issues, the AICPA went through a period of issuing, updating, interpreting, and otherwise doing a lot of standard setting to get us to where we are today. Statement on Standards for Attesting Engagements (SSAE) 18 sets forth the auditing standards under which all Service Organization Control (SOC) exams, including SOC 1 and SOC 2 exams, are performed. The SOC 1 exam is the successor to the financially focused SAS 70, and the SOC 2 exam is the successor to the security focused audits performed under SAS 70. In addition to SSAE 18, SOC 2 exams are further guided by the Trust Services Criteria (TSC), which establishes a common framework for organizational and security compliance.

AICPA Trust Services Criteria

The TSC provides the framework to organizations and auditors that was missing in SAS 70. The TSC empowers organizations and their auditors to evaluate and report on controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy. The TSC contains 61 total objectives and they are organized into two main areas Common Criteria and Additional Criteria.

The Common Criteria contains 33 objectives including objectives derived from the COSO Internal Control Integrated Framework as well as the Security related objectives. The Common Criteria are required for all SOC 2 engagements.

The Additional Criteria include 28 objectives spread between Availability, Processing Integrity, Confidentiality, and Privacy. These criteria are optional. Generally, the decision to include or exclude Additional Criteria from a SOC exam depends upon the expectations and contractual requirements of the service provider. For example, if the service provider has “uptime” guarantees in contracts, it will likely be appropriate to include the Availability criteria in the SOC exam.

You can download the full Trust Services Criteria directly from the AICPA here. The table below summarizes the major areas of the Trust Services Criteria, as well as the number of individual objectives/criteria in each section.

Trust Services Criteria Summary Table

ReferenceTrust Service Criteria SectionNumber of Criteria
Common Criteria
CC1.XCOSO – Control Environment5
CC2.XCOSO – Communication and Information3
CC3.XCOSO – Risk Assessment4
CC4.XCOSO – Monitoring2
CC5.XCOSO – Control Activities3
CC6.XSecurity Criteria Related to Logical and Physical Access Controls8
CC7.XSecurity Criteria Related to System Operations5
CC8.XSecurity Criteria Related to Change Management1
CC9.XSecurity Criteria Related to Risk Mitigation2
Additional Criteria
A1.XAvailability3
C1.XConfidentiality2
PI1.XProcessing Integrity5
P1.XPrivacy Criteria Related to Notice and Communication of Objectives Related to Privacy1
P2.XPrivacy Criteria Related to Choice and Consent2
P3.XPrivacy Criteria Related to Collection2
P4.XPrivacy Criteria Related to Use, Retention, and Disposal3
P5.XPrivacy Criteria Related to Access2
P6.XPrivacy Criteria Related to Disclosure and Notification7
P7.XPrivacy Criteria Related to Quality1
P8.XPrivacy Criteria Related to Monitoring and Enforcement1

 

In upcoming articles, we will go into detail in each one of these areas to provide companies additional guidance.


Keiter provides SOC Exam and Exam Readiness Services for all types of SOC exams. Our SOC services are provided by our Risk Advisory Services Team, which is led by experienced CPAs, CISAs, and technology professionals with industry experience. Our Risk Advisory Teams services a variety of industries and business types.

Please contact us to discuss your company’s SOC needs. Risk Advisory Services Team | Email | Call: 804.747.0000

Additional SOC Resources

Source: AICPA


About the Author

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella, CPA, CISA


The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Contact

How Can We Help You and Your Business?

Innsbrook Corporate Center
4401 Dominion Boulevard
Glen Allen, Virginia 23060

804.747.0000 or 804.273.6200

Directions