(270) 506-5140 CONTACT US
SOC Reports

SAS 70, SSAE 18 and now the Vendor SOC 2 Alignment with COSO…Oh My!

Nov 18, 2019 by Desiree Ericksen

Just as the world is constantly changing, so is the world of vendor management. Thankfully, the world of vendor management is changing to improve vendor security and oversight for the better via SOC 2 reports! We’re going to delve further into what we mean and why it’s important.  

Vendor Security and Oversight Changes

So, what’s the big change? And what do you need to look for?

First, let’s recap a couple of the most eye-catching changes announced in 2017 that also come into play here:

  1. Renaming of Trust Services Principles (TSP) to Trust Services Criteria (TSC)
  2. Renaming the SOC acronym – transitioning from Service Organization Controls to System and Organization Controls

Many have been using these terms since.

Now, announced by the American Institute of Certified Public Accountants (AICPA), the latest, major change that focuses on improving vendor security and oversight: The SOC 2’s alignment with Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013.

If you’re not familiar, COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public entities and their independent auditors, for the SEC, other regulators and for educational institutions.

In 2013, there was an update to the Internal Control — Integrated Framework as it’s called, which helps organizations design and implement internal control in light of the many changes in business and operating environments since the issuance of the original framework in 1992. The update broadened the application of internal control in addressing operations and reporting objectives and clarifies the requirements for determining what constitutes effective internal control.

3 Important Things to Know About the SOC 2 Alignment with COSO

Three important things that you should know about the SOC 2 alignment with COSO are:

  • Again, it only affects SOC 2 reports.
  • The changes affect reports with review periods ending after December 15, 2018.
  • Now, with the addition of COSO, there are more specific control requirements that fall under the existing Trust Services Criteria which are the evaluation of security, availability, processing integrity, confidentiality and privacy. With the addition of COSO, the evaluation can include the entire entity, the entity’s subsidiaries and more so it takes it a level deeper.

5 Components of COSO 2013

There are five components of COSO 2013. They are:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring

There are 17 principles that fall under these five components. The two main components that impact the SOC 2 reports are risk assessment and control activities. Let’s discuss both further:

  • Risk Assessment requires that the vendor establish an appropriate risk assessment program. This component states that your vendor should identify, select and develop risk mitigating activities that will better allow your vendor to manage risks arising from possible business interruptions and the use of third party vendors and business partners.
  • Control Activities require your vendors to develop control activities that assist them in the mitigation of risks through appropriate policies and procedures, either through business processes or the use of technology.

There’s a common standard format of the SOC 2 layout, yet there are some slight variations depending on who prepared the report which will determine how you’ll see the change reflected. With that said, the report should identify how the Trust Service Criteria is mapped to the COSO 2013 Principles. Basically, it takes it a step further and ties TSC with COSO principles.

To help you better understand how the report will incorporate the COSO 2013 Principles, here’s a good example regarding the Security TSC with COSO Principles incorporated:  

COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.

COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

COSO Principle 3: Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.

COSO Principle 4: The entity demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.

COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

And finally, tying it together, all will be mapped to Criteria Group 1: These are the 5 COSO principles that will now be tied to the Security TSC.

Overall, we live in a constantly changing world where the regulatory environment needs to remain fluid. Ultimately, it’s our combined responsibility to verify that our vendors are abiding by these new SOC 2 reporting practices. Fortunately, for your customers and organization, these changes are resulting in enhanced controls that aim to protect us all!

Need a better breakdown of vendor SOC report terms? Download the dictionary.

New call-to-action


Desiree Ericksen

Written by Desiree Ericksen

Desiree is a self-motivated financial services industry leader with 14 years’ experience through nearly all financial institution operations, from teller to Vice President – IT/Security Officer. Now providing detailed analysis to financial services companies, she is able to apply years of direct subject matter knowledge, analyzing inherent risk of vendors and their subservice providers. She earned a Bachelor’s degree in Business Information Systems and is a Certified Information Systems Security Professional (CISSP). Through her experience in regulatory, internal and external audits, she has first-hand experience in what challenges financial services organizations are facing in third party risk management.

Follow Desiree Ericksen

Subscribe to the Venminder Blog