OUR THOUGHTS ON:

Proposed Revision of Criteria for a Description of a Service Organization's System in a SOC 2 Report

Risk Advisory/Internal Audit|SSAE 18/SOC

By Mark Riley

The system description of an SOC 2 report is the area in which the service organization details the system that is being assessed and the risks that are considered throughout the entire report. This section is essential to user entities, business partners and prospective user entities to help understand the system through which the services are provided.

To assess and address the risks associated with the service organization’s system, user entities and business partners require information about the service organization’s controls within the system through which the services are provided. Prospective user entities may also need and benefit from this same information to help make decisions about whether to outsource their own processes or functions to the service organization.

The AICPA is in the process of revising the AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy (SOC 2). Currently, the criteria for a description of a service organization’s system in SOC2 reports is presented in paragraphs 1.26 and 1.27 (extant description). With forthcoming revisions, the description criteria will no longer be included in the body of the AICPA guide but will become a standalone document that the service auditor’s report will reference. This change is being made to improve the availability and ease of use of the criteria, as well as to permit the inclusion of additional guidance to assist service organization management with the preparation of the description. In addition, the changes will align the description criteria to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017 trust services criteria) issued in April 2017 and increase the usefulness of SOC 2 reports for entities that undergo the AICPA’s SOC for Cybersecurity examination.

The following is a summary of the most significant changes to the extant description:

1. New disclosures about the service organization’s principal service commitments and system requirements: Service organizations will have to report to the service users their principal service commitments and system requirements.

2. New disclosures about certain incidents: The description may need to include disclosures for incidents identified during the reporting period or significant impairment of the service organization’s achievement of its service commitments and system requirements.

3. Additional implementation guidance in the description criteria: Implementation guidance is given for each criterion to assist service organization management in making decisions about the nature and extent of disclosures to include in the description.

4. Incorporation of privacy criteria and implementation guidance: The extant description criteria that presents the criteria relevant to privacy in a separate paragraph

PROPOSED REVISION OF CRITERIA FOR A DESCRIPTION OF A SERVICE ORGANIZATION’S SYSTEM IN A SOC 2 REPORT

(paragraph 1.27) of the AICPA Guide Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) will no longer be necessary.

Organizations today are leveraging third parties to outsource many different types of services to help lower their own infrastructure and maintenance costs. With these additions to the description criteria, service users will see more transparency of the service organization’s systems and commitments in the SOC 2 for management and other relevant users to analyze and use in business decisions.

For more information, please contact Schneider Downs or visit the Our Thoughts On blog.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments