In this blog, we’ll dive into one of the most important parts of a SOC 2 report, the SOC 2 System Description!
During your due diligence process, a vendor sends you their SOC 2 report. How do you know what the report is trying to say? How are you supposed to figure out which parts are important?
At first glance, a SOC 2 System Description can seem overwhelming. However, when you know what to look for (and what not to look for), it becomes easy to pinpoint the specific sections that are relevant to you.
What’s Included in the SOC 2 System Description
A SOC 2 System Description describes an information system that is managed by a Service Organization. The System Description is not required to follow a specific format, but it is required to include eight “description criteria” in a Type 1 report, and nine in a Type 2 report. The AICPA defines these criteria in DC-200.
The Services Offered
A typical SOC 2 System Description will begin by describing the services offered by the company. This can also include a list of features of that service and the delivery methodology.
The Principal Service Commitments and System Requirements
The Principal Service Commitments and System Requirements denote management’s primary objectives regarding the system being audited. These commitments and requirements are often communicated in customer contracts and Service Level Agreements (SLA) and are reiterated in the System Description.
They should tie into the Trust Service Criteria in scope. For example, if the report covers Availability, the commitments and requirements should focus on availability metrics.
The Components of the System
All information systems contain infrastructure, software, people, procedures, and data. This section of the SOC 2 System Description describes these components and how they relate to readers of the report.
One component that should stand out is the data component. This section describes what data is collected by the organization and how it is processed, stored, and disposed of.
The Service Organization being audited is required to disclose system incidents that affect the achievement of the Principal Service Commitments or System Requirements. This section will cover the nature, timing, and extent of any of these incidents.
Incidents are uncommon but should be noted when conducting a review of a SOC 2 report.
Overview of Control Environment
The overview of the control environment describes all the controls that management has established to ensure that the information system operates as intended. This may include controls related to governance, human resources, access control, and monitoring technologies. These controls are designed by the Service Organization and audited by the Service Auditor.
Complementary User Entity Controls (CUECs)
Simply put, CUECs are controls that are the responsibility of the Service Organization’s customers. Common examples include managing access (for a SaaS application) and keeping up to date with software patches (for a locally managed solution).
If you are reviewing the System Description for a vendor (or potential vendor), you should keep these CUECs in mind, as you will be responsible for performing these actions.
Complementary Subservice Organization Controls (CSOCs)
CSOCs are controls that are the responsibility of the Service Organization’s vendors. If the vendor does not perform these controls, the information system will not function as intended.
The Service Organization is not required in all cases to include the exact control performed by their vendor(s). Instead, the CSOC section will describe the vendor’s overall responsibilities. During a review of a SOC 2 System Description, you should pay special attention to the CSOCs, which provide insight into the vendors used by your vendor.
In some cases, certain SOC 2 criteria will be not applicable to a Service Organization. These criteria will appear in this section.
The most common circumstance where there will be N/A criteria is if Privacy is in scope. You should note which criteria are not in scope and the Service Organization’s justification for excluding them.
For a Type 2 report (which covers a period of time), the Service Organization must describe major changes that have happened within the organization. This may include mergers, acquisitions, major infrastructure changes, and personnel changes.
What’s Not Included In the SOC 2 System Description
The System Description holds the bulk of the information in a SOC 2 report, but it does not contain everything. Here are a few items that you will need to find elsewhere in the report:
The Auditor’s Opinion
The auditor’s final opinion over whether the report is clean is located in the Service Auditor’s Report, usually the first or second section. Here, the auditor states whether the System Description is conveyed according to the Description Criteria and if the controls were suitably designed and operated effectively.
Tests of Controls
The procedures the auditor performed to test if controls operated effectively, and the results of those tests, are in a separate section of the report that generally follows the System Description. This is where you would find any control exceptions.
If you have any further questions regarding SOC 2, reach out to an expert!