Cookie Notice: This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our Cookie Notice for more information on the cookies we use.

Skip to Content
Sarah Pavelek Soma Sinha
April 17, 2019 Article 2 min read
When a service organization undergoes a SOC 2 examination, management must now prepare or update the description of their system and disclose significant system incidents identified during the period covered by the report. Here’s what you need to know for your next examination.
People talking over SOC 2 reports

The AICPA recently updated the guidelines for presenting a service organization’s system description in a SOC 2 report, effective for any SOC 2 examination of an organization’s controls over security, availability, processing integrity, confidentiality, and privacy, for periods ending after Dec. 15, 2018. Description Criteria 200 (DC 200) includes several requirements to follow as you prepare and evaluate your organization’s system description.

While the full DC 200 contains nine criteria, we highlight two that we expect to be significant and that weren’t present in prior description requirements: the requirements to disclose (1) principal service commitments and system requirements and (2) system incidents.

DC 2: Principal service commitments and system requirements

Description:

An entity’s system objectives are the benchmarks against which its system of internal controls is evaluated, using the trust services categories. System objectives are composed of:
  • Service commitments that the entity has made to its users and others related to trust services categories.
  • System requirements that are specifications about how the entity’s system should function to meet its commitments to customers, vendors, and business partners; to comply with laws and regulations; and to meet other relevant objectives.

To help users understand the effectiveness of its controls, an entity is now required to state its principal system objectives in its description. Disclosure of the principal system objectives allows readers of the SOC 2 examination report to understand what drives the evaluation of the design and operating effectiveness of the entity’s internal control structure.

Guidance:

When documenting the system objectives, the entity should consider prevalent laws and regulations, contracts in place between the entity and their customers, service level agreements, privacy policies, etc. Examples of principal service commitments include:

  • Securing customer data
  • Maintaining 24/7 system availability
  • Classifying data and maintaining confidentiality of data classified as such
Examples of system requirements to achieve the above commitments include:
  • Logical and physical access controls over customer data
  • Redundant systems that would ensure 24/7 availability
  • Authority of classifying data is assigned to a specific individual or group
  • Confidential data is segregated in a location that can be accessed only by authorized individuals

DC 4: System incidents

Description:

An entity is required to disclose the nature, timing, extent, and disposition of its significant system incidents identified during the period covered by the report.

Guidance:

The intent of this requirement is to disclose information related to incidents that occur due to ineffective controls, and lead to significant failure of the achievement of service commitments and system requirements. Only incidents with a material impact are to be disclosed; this would most likely consist of those that required public disclosure, had a material effect on operations or reputation, required regulatory filings (financial or otherwise), and/or resulted in sanctions.

Our team performs SOC 1, SOC 2, and SOC 3 examinations with clients across the United States and globally. If you’re a service organization undergoing a SOC 2 examination for the first time, or you’re in the planning phase for a recurring examination, give us a call. We can help.