The system description of an SOC 2 report is the area in which the service organization details the system that is being assessed and the risks that are considered throughout the entire report. This section is essential to user entities, business partners and prospective user entities to help understand the system through which the services are provided.
To assess and address the risks associated with the service organization’s system, user entities and business partners require information about the service organization’s controls within the system through which the services are provided. Prospective user entities may also need and benefit from this same information to help make decisions about whether to outsource their own processes or functions to the service organization.
The AICPA is in the process of revising the AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy (SOC 2). Currently, the criteria for a description of a service organization’s system in SOC2 reports is presented in paragraphs 1.26 and 1.27 (extant description). With forthcoming revisions, the description criteria will no longer be included in the body of the AICPA guide but will become a standalone document that the service auditor’s report will reference. This change is being made to improve the availability and ease of use of the criteria, as well as to permit the inclusion of additional guidance to assist service organization management with the preparation of the description. In addition, the changes will align the description criteria to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017 trust services criteria) issued in April 2017 and increase the usefulness of SOC 2 reports for entities that undergo the AICPA’s SOC for Cybersecurity examination.
The following is a summary of the most significant changes to the extant description:
1. New disclosures about the service organization’s principal service commitments and system requirements: Service organizations will have to report to the service users their principal service commitments and system requirements.
2. New disclosures about certain incidents: The description may need to include disclosures for incidents identified during the reporting period or significant impairment of the service organization’s achievement of its service commitments and system requirements.
3. Additional implementation guidance in the description criteria: Implementation guidance is given for each criterion to assist service organization management in making decisions about the nature and extent of disclosures to include in the description.
4. Incorporation of privacy criteria and implementation guidance: The extant description criteria that presents the criteria relevant to privacy in a separate paragraph
PROPOSED REVISION OF CRITERIA FOR A DESCRIPTION OF A SERVICE ORGANIZATION’S SYSTEM IN A SOC 2 REPORT
(paragraph 1.27) of the AICPA Guide Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) will no longer be necessary.
Organizations today are leveraging third parties to outsource many different types of services to help lower their own infrastructure and maintenance costs. With these additions to the description criteria, service users will see more transparency of the service organization’s systems and commitments in the SOC 2 for management and other relevant users to analyze and use in business decisions.