New Changes to Trust Services Criteria and SOC 2 Reporting


The AICPA continues to adjust and refine the SOC 2 reporting requirements. The most recent release includes significant changes to the Trust Services Criteria and also addresses cybersecurity risks while offering increased flexibility. The AICPA also issued a Description Criteria.


Available for use now, the AICPA has recently released new Trust Services Criteria for SOC 2 reporting. The new criteria will be required for reports with a period that ends on or after December 16 of this year. The recent changes are significant, and require additional time and attention from the companies who issue SOC 2 reports. These changes include:   

  • Trust Services criteria now align with COSO 2013 and lay out points of focus
  • Five principles are now called five categories
  • Trust Services criteria, adjusted to better address cybersecurity risks
  • Separate Description Criteria requirements that specify requirements of the system description, along with implementation guidance.

Effective Date and Transition

Companies are required to use the new criteria for all reports whose period ends on or after December 16th, 2018. 

RyanSharkey Insights

Prepare for the new standards – sooner rather than later. 
If you issue SOC 2 reports or plan to issue a SOC 2 report, it’s essential for your business to understand the new SOC 2 requirements – and how they’ll impact your organization’s SOC 2 reporting process. Early preparation will help companies stay ahead of the curve when it comes to attestation.

Whether you’ve obtained a SOC 2 report in the past, or are planning to do so in the future, we can help you:

  • Gain an understanding of the reporting needs in light of the updates to the Trust Services Criteria and the Description Criteria;
  • Develop a SOC 2 reporting plan for the new requirements;
  • Complete an assessment/gap analysis based on selected SOC 2 criteria against the new requirements;
  • Identify any reporting gaps to determine any necessary incremental controls and system description updates.

For more information or to request a quote for your SOC report, please contact Ed Ryan, CPA at 703.652.1124 or please feel free to leave us a message below.

Copyright © 2018 BDO USA, LLP. All rights reserved.

Blog Author: 
Blog Category: 

Material discussed in this article is meant to provide general information and should not be acted on without professional advice tailored to your firm’s individual needs.

Questions? Contact RyanSharkey using the form below.

Fill out my online form.