AICPA Updates the Trust Services Principles and Criteria Related to SOC 2 & 3 Audits
In February, the American Institute of Certified Public Accountants’ (“AICPA”) released an updated edition of its Trust Services Principles and Criteria (“TSP”) 2014. The TSP’s criteria is utilized by CPA firms in performing Service Organization Control (“SOC 2” or “SOC 3”) audit engagements that report on the system controls relevant to security, availability, processing integrity, confidentiality and/or privacy. The revised Trust Principles are effective for reporting periods ending or after December 15, 2014, but the AICPA is permitting early adoption.
The revisions are intended to improve clarity, eliminate redundancy, and update criteria based upon changes in technology and business environments. Specific revisions include a restructuring of control criteria, called “Common Criteria”, which form the requirements of the “Security” principle. Clients reporting on additional trust principles (e.g. Availability, Processing Integrity, and/or Confidentiality) will then report on control criteria applicable only to that single principle. However, it should be noted that this revision does not affect criteria related to the “Privacy” principle.