The description of a service organization’s system in a SOC 2 report is required to be prepared and assessed utilizing the description criteria guidance put forward by the American Institute of Certified Public Accountants (AICPA). The description criteria will be discussed in this blog to provide guidance on the factors to consider when describing a service organization’s system. The description criteria require judgment and consideration of the facts and circumstances of the service organization and its environment in place extending services to its user entities.
Who is Responsible for the Description Criteria?
Service organization management is ultimately responsible for the description of the service organization’s system including the content, design, and implementation of controls. Many times the service auditor will draft the description on behalf of the service organization and the service organization will review it for completeness and accuracy. The service auditor is responsible for determining whether the description of the service organization’s system is documented in line with the description criteria guidance.
When to Use the Description Criteria?
The description criteria are used in conjunction with a SOC 2 examination and are presented within a SOC 2 report. As per AICPA professional standards, SOC 2 examinations are to be performed in accordance with AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements. The attributes for consideration in the description criteria include the following:
- Relevancy to the system description
- Objectivity and fair representation
- Measurability providing qualitative and quantitative consistency throughout
- Completeness so as not to omit relevant factors that may be significant
How to Meet the Description Criteria?
The description criteria give report users including user entities, business partners, their auditors, regulators, and other intended users of the SOC 2 report, information regarding the service organization system and its boundaries including its inputs, processing, and outputs. The description coverage varies depending upon the size of the service organization and the complexity of the services provided by the system. It is required to meet the needs of a broad range of report users and describe the significant aspects of the system and services provided to its user entities.
The adequacy of the description of the service organization’s system:
- Describes the system that the service organization has in place to provide the services to its user entities;
- Includes information for each relevant description criterion;
- Does not omit or distort any information that may be key to a report users’ decision making.
The description may be documented in many different ways but is primarily presented in a narrative format. The narrative description may be supplemented with flowcharts, tables, graphics, or a combination. Incorporating the following criteria listed below along with the associated factors for consideration provides an outline to meet the description criteria for a SOC 2 examination.
What is Included in the Description Criteria?
1. Types of Services Provided
The features of the service organization’s system, including the nature and extent of the services provided to its user entities, should be disclosed. The significant aspects of the system and services relevant to the services provided to the majority of its user entities should be identified and not necessarily those items that are unique to only a small subset of user entities.
2. Principal Service Commitments and System Requirements
The service organization’s principal service commitments made to its user entities and the system requirements needed to achieve them should be depicted in the system description. The principal service commitments may be identified for inclusion from the contracts with user entities, in their terms and conditions, or in their service level agreements. The service commitments that are relevant to a broad range of SOC 2 report users and applicable trust services criteria should be included in the system description. The trust services criteria, not to be confused with the description criteria, cover security, availability, processing integrity, confidentiality, and privacy. See our blog on the trust services criteria for more information.
The system requirements are those features that function to achieve the service commitments and objectives relevant to the applicable trust services criteria. Many of these system requirements may be identified in the service organization’s policies and procedures. The principal system requirements are those that are relevant to a broad range of SOC 2 report users and the applicable trust services criteria addressed by the description.
3. Components of the System Used to Provide Services
The components of the system that work together to deliver the services used by the user entities should be outlined to provide an understanding of how the system functions by including the following components: infrastructure; software; people; procedures; and data.
- Infrastructure used to provide the services include the hardware, servers, workstations, networks, facilities, and data storage devices, for example. The system boundaries may also be described as well as third-party access to the system.
- Software includes disclosures regarding the application programs, operating systems, mobile applications, and other utilities used to support the services provided to user entities.
- The people component disclosures include information regarding the departments in place and responsibilities covering the activities including the governance, security, development, and control operations providing segregation of duties.
- Procedures cover those key policies and procedures that support the attainment of the service commitments and system requirements. Control activities are deployed through policies that document expectations and procedures that turn that into action.
- Data disclosures describe the types of data used by the system including the inputs, processing, and outputs of the data, as well as, protections in place for data at rest and in transit. How the data is classified, disposed of when no longer needed, and how data confidentiality or privacy is maintained provide additional understanding of system functionality.
4. Identified System Incidents
Whether or not to include information regarding a system incident requires judgment of the facts and circumstances surrounding the system incident. A factor for consideration includes determining how significant any failures were in fulfilling the service commitments and system requirements as of the date or during the period covered in the description. Another factor to consider is whether disclosure of the system incident was required by any laws or regulations. The following information at a high level should be provided if the decision is made to disclose a system incident including:
- The nature of the system incident;
- Timing of the system incident; and
- Effect of the system incident and its disposition.
5. Applicable Trust Services Criteria
This area of the service organization’s system description will generally have the most content. The system description comprises the trust services criteria being reported upon. Additionally, it consists of the applicable controls performed by the service organization to accomplish the service commitments and system requirements. The common criteria include security for all SOC 2 reports and information related to the description of controls implemented to address this criterion is presented in the description. If additional trust services criteria related to availability, processing integrity, confidentiality, or privacy are also included, additional controls implemented to cover the additional criteria are also needed.
6. Complementary User Entity Controls
The service organization may assume in its design that certain controls are performed by the user entity in combination with its own controls, necessary to achieve the service commitments and system requirements. These complementary user entity controls need to be detailed in the description. Complementary user entity controls are those controls the service organization assumes are executed by the user entity in order for the whole system of internal controls to operate effectively. A typical complementary user entity control is that the user entity authorizes access to the system and revokes access when it is no longer needed. A service organization would rely on communication from the user entity regarding the authorization of system access granted. In some cases, the user entity may administer access to the system themselves.
7. Subservice Organization Controls
A subservice organization may be utilized by the service organization to carry out controls that are necessary along with its own controls to accomplish its service commitments and system requirements. Either the specific controls being relied upon (inclusive method) or the types of controls being relied upon (carve-out method) need to be depicted in the description.
If the inclusive method is used for reporting purposes, the specific controls performed by the subservice organization are disclosed but separately identified in the description. These controls are also tested for design and operational effectiveness (Type II only) by the service auditor. Additionally, the relevant facets of the subservice organization will also be included but separately identified in the description. They cover the infrastructure, software, people, procedures, and data as part of the service organization’s system description.
If the carve-out method is used for reporting purposes, the types of controls (aka complementary subservice organization controls) assumed at the subservice organization, but not the specific controls, are disclosed. Complementary subservice organization controls (CSOCs) are assumed by the service organization to be performed in combination with its own controls to accomplish its service commitments and system requirements. A typical CSOC from a cloud hosting subservice organization is that they provide the environmental controls protecting the production servers.
Some service organizations may utilize multiple subservice organizations. In this case, the service organization may describe one or more under the inclusive method and the others under the carve-out method.
8. Irrelevant Specific Criterion
The reasons why any specific criterion of the applicable trust services criteria is not applicable to the service organization’s system should be explained. For example, if the trust services criteria for privacy is in scope but the user entity performs the collection of personally identifiable information from its customers, specific controls from the user entity would not be documented. In this instance, the service organization would explain the reasons why the criterion is not relevant to its system description.
9. Significant Changes to the Service Organization’s System
For a Type II SOC 2 report, significant changes made during the reporting period which alter the controls in place that fulfill the service commitments and system requirements should be made known when they are pertinent to a broad range of report users. Details should include when the date of the change occurred and the differences before and after the system changed. An example of a significant change could be related to a change in the subservice organization (e.g., changing from AWS to Azure) used for cloud hosting and managed services that would require disclosure in the description of the service organization’s system.
Description criteria are part of a SOC 2 report and the responsibility of the service organization management. The service auditor is responsible for reviewing the system description of the service organization and determining if it satisfies the description criteria. The system description gives the report users information regarding how the system operates to accomplish its service commitments and system requirements. More detailed guidance is located at the AICPA Description Criteria Section 200.
Contact us at Linford & Company for more information to help you with your SOC reporting needs. Our team of CPAs and IT professionals complete SOC 1 and SOC 2 examinations on behalf of service organizations located around the world.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.