Richard Porter Hello, I’m Richard Porter. Welcome to the second in our third party confidence series. I am delighted to welcome back Fiona Davis who leads our Third Party Assurance services in the London Region and Damian Regan who leads the equivalent for the Insurance and Investment Management sector. Today we will be picking up some key themes prompting organisations to consider a SOC 2 report, along with some recent proposed revisions to the SOC 2 framework itself. So Fiona, what have we been seeing in the market over the last few months?
Fiona Davis Well Richard, I think it’s useful to highlight that we have been seeing a range of triggers from both an internal and external stakeholder perspective but equally lots of interest from a regulator perspective as well.
But just picking up on that internal stakeholder side, we have recently been working with a large organisation who are launching an end to end software as a service proposition. And pre-go live they were really keen to get some comfort around the robustness of both the processes and controls, as well as the security of the associated customer data.
But I think the really interesting angle of this particular example is that it was the audit committee who have requested that additional transparency because they believe it will be of real benefit to potential customers. But equally they themselves pre-go live are really keen to get some comfort around the processes and controls associated with cyber security.
So when considering the best approach on this, SOC 2 seemed like the best solution because ultimately it provided that level of confidence both internally and externally, so for me this is a really great example of how SOC 2 is helping manage both commercial and reputational risk.
Richard Porter Ok so that’s an interesting governance perspective and I get the internal stakeholder perspective. But Damian, maybe you can shed some light on the experience we’re seeing with external stakeholder insights?
Damian Regan Yes certainly. We’re seeing an increase in demand through a combination of two things: one is increasing customer requirements and requests; and secondly regulatory change, so collectively driving forward the market.
We’re working actually with an insurance company at the moment and they tell us that they have experienced increased IT audit fatigue dealing with some of those customer requests, and also increased cyber security risk questions and scrutiny so collectively that’s driving the market forward.
Richard Porter Ok, and in this case why did they chose SOC 2 report?
Damian Regan So three key reasons – the first is the existing standards in the market such as ISO 27001 didn’t give them the level of assurance they wanted. Secondly, the report itself – they wanted a report that was more transparent about the process, and also had the assurance opinion within it; they didn’t just want to give out another certificate or have an internal report. And thirdly, the benchmark – being able to have a standard that was consistent so that they could benchmark themselves and be benchmarked by their clients. So collectively those three reasons gave them the drive towards the SOC 2.
Richard Porter Ok so some interesting market perspectives. Now picking up the second part of what we wanted to cover today, which is some of the upcoming changes that have been introduced through the exposure draft on SOC 2. Fiona, can you maybe elaborate on what this means for organisations that are already delivering a SOC 2 report?
Fiona Davis Absolutely Richard, I think firstly many will be surprised because they will not be aware there currently are proposed changes to the framework. But for those that are aware, there is currently a feeling of perhaps confusion of what direction to go in next. But just perhaps to highlight some of the key changes that are in fact being proposed. First there’s a change in terminologies – what we previously were familiar with from a SOC 2 perspective was the ‘trust service principles’, which are now known as ‘trust service categories’. Secondly we’ve seen quite a few additions – we now have supplemental criteria, and we have the introduction of ‘points of focus’ as well; the goal of those really have been to help assess the design and operating effectiveness of the control environment. Last but no means least, we have a restructuring of the framework to very much realign with COSO. Many will be familiar with what COSO is, but for those who are not it’s basically a framework to help with the assessment of internal control. So quite a few changes but ultimately building upon what was previously in place.
Richard Porter Ok, that’s really helpful. Damian, is there anything more you would particularly add from your perspective?
Damian Regan Yes Fiona mentioned supplemental criteria and to me the two key areas are firstly cyber security risk – undeniably a hot topic at the moment. And secondly privacy – also an area of complexity and having additional content assists with both of these areas.
Richard Porter Ok so quite a lot of upcoming change, but what’s your sense of the direction of travel here?
Damian Regan I think it’s very positive. Having the ability to have more content means that our clients don’t necessarily need to create a SOC 2 report which is enhanced, or a SOC 2+, they can actually just create a SOC 2 with better content.
Richard Porter Ok. So Fiona, what about organisations who already have a SOC 2 or are thinking about embarking on a SOC 2 – what do these revisions actually mean?
Fiona Davis Well I think Richard the first point I would highlight is that the proposals are still very much under consultation and they will be so until the end of this year, so the general guidance at present is that anyone who is due to report prior to June 2018 should continue to use the existing framework. You do of course have a choice if you wish to be an early adopter you can choose to use the new framework but the rule of thumb is basically please do highlight within your reporting which one you choose to use at this point.
Richard Porter Ok, thank you Fiona, thank you Damian. Some helpful words about how to respond to the new framework, hopefully that sheds some light for everyone on what lies ahead. Naturally, if you’d like to discuss any of these issues do get in contact. We look forward to sharing further insights and related topics over the coming months, but for now thank you and goodbye.
Partner, Assurance, PwC United Kingdom
Tel: +44 (0)7483 378386
Director, Stakeholder Assurance, PwC United Kingdom
Tel: +44 (0)7841 566415