Many companies in the title industry swear by SOC 2 certifications. The audits provide verification to lenders and other business partners that a company has critical controls in place to design and manage the security and confidentiality of its data.
However, title companies and underwriters should know that recent enhanced requirements by the American Institute of CPAs (AICPA) have made the audit examinations more challenging.
Auditors say the key to a smooth audit process includes a readiness phase and working with trusted independent service auditors.
“The impact to current service organization SOC2 reporters for 2019 has been noticeable,” Shelby Nelson, director of Frazier & Deeter’s Process, Risk & Governance Practice told The Title Report. “Mapping existing controls to the new framework, identifying new controls to address the expanded Security category, system description modifications and the requirements to address sub-service organizations have all presented challenges. All of these elements require time, a precious commodity, from management and compliance personnel.”
AICPA issued three major updates for reports issued on or after December 2018. They are:
-
Alignment with clarified attestation standards. This includes updated information on requirements related to requesting written assertions and performing risk assessments.
-
Updated description criteria. This includes necessary information on preparing and reviewing the presentation of the description of a service organization’s system. It requires that the system description disclose the nature, timing, and extent of certain identified system incidents. The criteria also include helpful implementation guidance related to disclosures, including what to consider when determining whether to disclose an incident.
-
Updated Trust Services Criteria. AICPA updated its Trust Services Criteria to align with the COSO 2013 Framework, which is widely used in the design and implementation of internal controls. Service organizations and practitioners need to know how the updated criteria impact the evaluation of the suitability of design and operating effectiveness of controls for SOC 2 engagements.
Additionally, although it is not a requirement, the examinations now include a question that asks companies for evidence of subscriptions to industry related publications.
“[Having industry related subscriptions] is arguably part of several of the new key points of focus for the criteria. Attracting, retaining, and training competent individuals is a requirement, which would include continuing education and staying abreast of industry news and changing regulatory requirements,” Jeff Redford of Pershing Yoakley & Associates told The Title Report. “In general, being aware of industry developments is a best practice when establishing a system of internal controls in preparation of a SOC 2 examination.
“Service organizations could use information provided by industry related organizations to support their risk assessment, evaluate third-party service providers, or indicate compliance with a specific requirement based on certifications or designations provided by those organizations,” Nelson added.
Redford said his biggest takeaway from the changes is that the Trust Services Criteria now are mapped to the COSO 2013 internal control framework, with additional criteria added to better address cybersecurity risks.
“Additionally, ‘Points of Focus’ were added to each criteria to give more insight into what types of controls are best for each,” Redford said. “Entities are not required to address them individually but when reviewed in total they provide additional details on what controls should be in place to address each criteria. This assists in SOC 2 examinations focusing at more of an entity-level instead of for specific processes/systems.”
Frazier & Deeter said the audit process can seem daunting and recommends companies incorporate a readiness phase prior to the examination to ensure a smooth, “no-surprises” examination process.
“Understanding all of the SOC2 framework changes is extremely important to determine the impacts to both existing and potential SOC reporters,” Nelson said. “Knowing which, if any, of the additional Trust Services Categories to include, Type I vs Type II, sub-service organizations, complementary user entity controls, mapping SOC2 controls to other frameworks (i.e. ISO, NIST, HiTrust) or incorporating other control considerations (GDPR, NYDFS, ALTA, HIPAA) can seem overwhelming. Working with a trusted independent service auditor to educate a service organization as it relates to SOC2 is key.”