The AICPA recently updated the guidelines for presenting a service organization’s system description in a SOC 2 report, effective for any SOC 2 examination of an organization’s controls over security, availability, processing integrity, confidentiality, and privacy, for periods ending after Dec. 15, 2018. Description Criteria 200 (DC 200) includes several requirements to follow as you prepare and evaluate your organization’s system description.
While the full DC 200 contains nine criteria, we highlight two that we expect to be significant and that weren’t present in prior description requirements: the requirements to disclose (1) principal service commitments and system requirements and (2) system incidents.
DC 2: Principal service commitments and system requirements
Description:An entity’s system objectives are the benchmarks against which its system of internal controls is evaluated, using the trust services categories. System objectives are composed of:
- Service commitments that the entity has made to its users and others related to trust services categories.
- System requirements that are specifications about how the entity’s system should function to meet its commitments to customers, vendors, and business partners; to comply with laws and regulations; and to meet other relevant objectives.
To help users understand the effectiveness of its controls, an entity is now required to state its principal system objectives in its description. Disclosure of the principal system objectives allows readers of the SOC 2 examination report to understand what drives the evaluation of the design and operating effectiveness of the entity’s internal control structure.
When documenting the system objectives, the entity should consider prevalent laws and regulations, contracts in place between the entity and their customers, service level agreements, privacy policies, etc. Examples of principal service commitments include:
- Securing customer data
- Maintaining 24/7 system availability
- Classifying data and maintaining confidentiality of data classified as such
- Logical and physical access controls over customer data
- Redundant systems that would ensure 24/7 availability
- Authority of classifying data is assigned to a specific individual or group
- Confidential data is segregated in a location that can be accessed only by authorized individuals
DC 4: System incidents
An entity is required to disclose the nature, timing, extent, and disposition of its significant system incidents identified during the period covered by the report.
The intent of this requirement is to disclose information related to incidents that occur due to ineffective controls, and lead to significant failure of the achievement of service commitments and system requirements. Only incidents with a material impact are to be disclosed; this would most likely consist of those that required public disclosure, had a material effect on operations or reputation, required regulatory filings (financial or otherwise), and/or resulted in sanctions.
Our team performs SOC 1, SOC 2, and SOC 3 examinations with clients across the United States and globally. If you’re a service organization undergoing a SOC 2 examination for the first time, or you’re in the planning phase for a recurring examination, give us a call. We can help.