New Changes to Trust Services Criteria and SOC 2 Reporting


The AICPA continues to adjust and refine the SOC 2 reporting requirements. The most recent release includes significant changes to the Trust Services Criteria and also addresses cybersecurity risks while offering increased flexibility. The AICPA also issued a Description Criteria.


Available for use now, the AICPA has recently released new Trust Services Criteria for SOC 2 reporting. The new criteria will be required for reports with a period that ends on or after December 16 of this year. The recent changes are significant, and require additional time and attention from the companies who issue SOC 2 reports. These changes include:   

  • Trust Services criteria now align with COSO 2013 and lay out points of focus

  • Five principles are now called five categories

  • Trust Services criteria, adjusted to better address cybersecurity risks

  • Separate Description Criteria requirements that specify requirements of the system description, along with implementation guidance.

Effective Date and Transition

Companies are required to use the new criteria for all reports whose period ends on or after December 16th, 2018. 

BDO Insights

Prepare for the new standards – sooner rather than later.
If you issue SOC 2 reports or plan to issue a SOC 2 report, it’s essential for your business to understand the new SOC 2 requirements – and how they’ll impact your organization’s SOC 2 reporting process. Early preparation will help companies stay ahead of the curve when it comes to attestation.
BDO’s Third Party Attestation Practice team is dedicated to providing high quality System and Organization Controls attestation services. Backed by one of the world’s largest global networks, BDO tailors SOC services to meet our clients’ unique needs, allowing us to deliver them in the most efficient and cost-effective way possible. Whether you’ve obtained a SOC 2 report in the past, or are planning to do so in the future, we can help you:

  • Gain an understanding of the reporting needs in light of the updates to the Trust Services Criteria and the Description Criteria;
  • Develop a SOC 2 reporting plan for the new requirements;
  • Complete an assessment/gap analysis based on selected SOC 2 criteria against the new requirements;
  • Identify any reporting gaps to determine any necessary incremental controls and system description updates.