Belonging to the school of thought that new cars are for the birds, I have nearly 250,000 miles on my 14 year old SUV. In some ways, it’s a point of pride, but I must admit that the engine doesn’t purr quite like it once did.With each tire rotation, brake replacement, or can of fuel booster, I wonder if it would be best to break down and finally get a new vehicle. In fairness to my vehicle, my demands have changed over the years. I have asked the vehicle to perform in ways that it wasn’t necessarily designed for, or at least not designed to do very well. Certainly the list of reasons to replace the vehicle has grown long over time, and while I am adept at “patching” the problems, I know that the only solution is to replace the vehicle. As a SOC 2 / 3 expert, I believe this same analogy applies to the AICPA’s Trust Service Principles and Criteria (TSPC).
The AICPA must agree given its ASEC Trust Information Integrity Task Force issued an exposure draft containing updates to the Trust Service Principles and Criteria (TSPC) for public comment earlier this month. Those familiar with SysTrust reporting, or the relatively recently branded SOC 2 and SOC 3 reports, already know that the TSPC are a critical portion of the subject matter for those reports. The TSPC have been around for quite some time and were last revised in 2009. If the last revisions were “patches”, the proposed 2013 changes are a complete engine overhaul. The direction of the proposed TSPC appears to include long overdue and important steps towards eliminating the redundancy and inefficiencies of the current TSPC.
The direction of the proposed TSPC appears to include long overdue and important steps towards eliminating the redundancy and inefficiencies of the current TSPC.
Those of us that have performed many SOC 2 engagements already know that the redundancy and inefficiency built into each principle criteria set can be maddening. The growing popularity of SOC 2 reporting has exacerbated the issue and increased the related workload in ways the prior CICA/AICPA Trust reporting (i.e. SysTrust and WebTrust) never did. In fact, some believe that the current TSPC is now being used in ways it was never even designed for, hence the relatively quick update following the roll out of the SOC 2 reporting concepts. Nonetheless, its issues have become the equivalent of the proverbial mysterious clunking noise in the car that seems to be getting louder with each passing day.
These issues compound with each additional trust services principle included in the scope of an examination. Some CPA firms attempt to patch the issues by decoupling the redundant criteria from their parent principles and reassembling them into their own set of common criteria. Although creative, this approach is not appropriate under current SOC 2 reporting guidelines. Reporting in a format that is highly redundant and not user friendly is the only option.
It appears that the introduction of “common criteria” concept in the exposure draft will be an important step to removing the unwanted redundancy. This should also promote acceptance by both audiences in significant ways. Somewhat ironically, we may find that the market has grown accustomed to the current TSPC reporting methods, much like my fondness for my old car. The thought of change will take some getting used to and there may be an adjustment period with revised criteria. Care will have to be taken to ensure changes to the TSPC; however much needed, do not radically change the controls necessary to meet the criteria.
BrightLine has already completed approximately 100 SOC 2 examinations and the update to the TSPC has a major impact on our practitioners. BrightLine is eager to participate in the public commenting process, and provide feedback on the proposed changes. In the meantime, my peek under the hood shows that the proposed revisions were thoughtfully considered and should be a step in the right direction. Of course, we won’t know until we formally test drive the TSPC in a multi-principle SOC 2, but this certainly has the hallmarks of a major overhaul and not just scheduled maintenance.