Skip to Content

AICPA releases new guidelines for SOC 2 reports: What you need to know

April 17, 2019 Article 2 min read
Sarah Pavelek
When a service organization undergoes a SOC 2 examination, management must now prepare or update the description of their system and disclose significant system incidents identified during the period covered by the report. Here’s what you need to know for your next examination.
People talking over SOC 2 reports

The AICPA recently updated the guidelines for presenting a service organization’s system description in a SOC 2 report, effective for any SOC 2 examination of an organization’s controls over security, availability, processing integrity, confidentiality, and privacy, for periods ending after Dec. 15, 2018. Description Criteria 200 (DC 200) includes several requirements to follow as you prepare and evaluate your organization’s system description.

While the full DC 200 contains nine criteria, we highlight two that we expect to be significant and that weren’t present in prior description requirements: the requirements to disclose (1) principal service commitments and system requirements and (2) system incidents.

DC 2: Principal service commitments and system requirements


An entity’s system objectives are the benchmarks against which its system of internal controls is evaluated, using the trust services categories. System objectives are composed of:
  • Service commitments that the entity has made to its users and others related to trust services categories.
  • System requirements that are specifications about how the entity’s system should function to meet its commitments to customers, vendors, and business partners; to comply with laws and regulations; and to meet other relevant objectives.

To help users understand the effectiveness of its controls, an entity is now required to state its principal system objectives in its description. Disclosure of the principal system objectives allows readers of the SOC 2 examination report to understand what drives the evaluation of the design and operating effectiveness of the entity’s internal control structure.


When documenting the system objectives, the entity should consider prevalent laws and regulations, contracts in place between the entity and their customers, service level agreements, privacy policies, etc.Examples of principal service commitments include:

  • Securing customer data
  • Maintaining 24/7 system availability
  • Classifying data and maintaining confidentiality of data classified as such
Examples of system requirements to achieve the above commitments include:
  • Logical and physical access controls over customer data
  • Redundant systems that would ensure 24/7 availability
  • Authority of classifying data is assigned to a specific individual or group
  • Confidential data is segregated in a location that can be accessed only by authorized individuals

DC 4: System incidents


An entity is required to disclose the nature, timing, extent, and disposition of its significant system incidents identified during the period covered by the report.


The intent of this requirement is to disclose information related to incidents that occur due to ineffective controls, and lead to significant failure of the achievement of service commitments and system requirements. Only incidents with a material impact are to be disclosed; this would most likely consist of those that required public disclosure, had a material effect on operations or reputation, required regulatory filings (financial or otherwise), and/or resulted in sanctions.

Our team performs SOC 1, SOC 2, and SOC 3 examinations with clients across the United States and globally. If you’re a service organization undergoing a SOC 2 examination for the first time, or you’re in the planning phase for a recurring examination, give us a call. We can help.

Related Thinking

Outside of a bakery
June 13, 2024

Franchise operators: Three reasons to take accounting off your plate

Article 3 min read
Food and beverage cookie manufacturer equipment using smart manufacturing processes.
June 3, 2024

Cybersecurity in food manufacturing: Ransomware threats

Article 3 min read
Cybersecurity professional on their laptop in a server room.
April 29, 2024

Bridging the widening cybersecurity skills gap

Article 5 min read