Be sure to also check out the first article in the series – “Your Road Map to Successful SOC Engagement (Part 1)”
Describing the “system” in your System and Organization Controls (SOC) Report is a critical requirement for SOC examinations. A System Description is the way in which management describes to its users the very System that supports the delivery of products, solutions or services to its customers, also called system users.
Writing the System Description can often be a time-consuming process, but once created it only has to be updated in future years as systems and processes change.
Because the System Description is the critical focus areas of the service auditor’s opinion, it is vital to get it right the first time around. However, managers new to the task do not always have a firm grasp on what needs to be included in the System Description or how he or she should compose a thorough description, which can be challenging for managers newly facing the task.
Write your system description for your upcoming SOC report
When it is time to write your System Description for your upcoming SOC report, you may wonder what it should say, where do you start, and what level of detail to include in the description.
A System Description must be prepared by management in accordance with descriptive criteria established by the AICPA. While the contents for System Descriptions are similar for SOC1 and SOC2 reports, the specific descriptive criteria are different. This article refers to a SOC2 Description of a System. A SOC2 Description is typically organized into the following sections:
1. Overview of the Company, Products, and Services Delivered
- Identify the specific products or services used by your customers, which are included in the scope of the SOC report.
- There is no need to list all products provided to third parties, but make sure those that are subject to the SOC examination are clearly described.
2. Service Commitments and System Requirements
Service commitments and system requirements are typically found in master service agreements or statements and serve to describe the following:
- What the service organization is promising its users with respect to the security of systems and data.
- The availability of systems that enable the delivery of products and services.
- The measures taken to protect the confidentiality of users’ data and/or processing commitments.
3. The Components and Boundaries of a System
A system is made up of components that each relate to the services and products or solutions offered to the customers or users. It is important that you describe each of these components and boundaries in terms of what is in-scope and what is outside of the parameters of the system.
For example, a border firewall that connects to an internet service provider’s high-speed fiber drop is an example of a piece of infrastructure, that if configured properly, could establish a “border” of the system used to deliver products and services to users.
Following are components of a system to include in the system description:
4. Relevant Aspects of the Control Environment
Relevant Aspects of the Control Environment include how your organization:
- identifies and responds to risks,
- communicates with its internal and external system users, and
- monitors the operation of controls
A. RISK ASSESSMENT
The risk assessment process is an area that many developing companies have not formally established even though they have successfully grown their business to the point where they need a SOC Report to distribute to their customers. A recommended risk assessment methodology includes:
- Identifying threats that may impact the system areas that enable the delivery of services to customers.
- Assessing the likelihood that this threat will actually occur, along with the possible impact on the organization if it does occur. Such risk is referred to as an inherent risk.
- Identifying controls designed to mitigate the inherent risk, which do so either by reducing the likelihood, impact or both.
- Reassessing the likelihood and impact of residual risk, which is any risk found after remediation controls are applied.
- Developing an action plan to accept, further mitigate or take additional measures to bring risk down to an acceptable level.
- Establishing processes to gather input to risk assessment from department heads or other key individuals.
- Establishing processes to track and communicate risks with management teams, which include the Board of Directors.
B. INFORMATION & COMMUNICATION
Determine how your organization gathers, generates and disseminates information needed to support the overall control environment of the company, commonly referred to as the Information and Communication Systems. The processes to be described here include the following:
- How data or other information is received from third parties, or generated internally, to support the operation of the system.
- How the company communicates to internal and external system users what their responsibilities are to maintain the security of the control environment in which the company operates.
C. MONITORING CONTROLS
Below describes monitoring controls and what they are related to:
- Ongoing and/or separate “reviews, assessments or internal audits” of the components of internal controls, and
- The tracking to resolution of identified deficiencies and appropriate levels of report to management and the Board of Directors
5. Complementary Sub-Service Organization Controls
These are controls that are expected to be in place at sub-service organizations that provide a key component of the system to your service organization. These particular controls may also serve as an integral part of delivering the products and services to your service organization’s customers.
Generally, the activities that these sub-service organizations provide are “carved-out,” which means these controls are not actually described here. However, the manager makes sure the reader of the SOC report understands who is responsible for what and how the team monitors the services provided by the sub-service organization.
6. Complementary User Entity Controls
These are controls that the company expects the user of the products or services to have in place in order for the service organization’s controls to operate effectively. You might include these controls in two areas:
- A specific sub-section of the description listed in the service description area that feature details on how these controls relate to the control objectives.
- A part of the tested controls, which are often documented and included with the control objectives with which they align.
Additional thoughts to remember as you compose your system description for your SOC report
Keep in mind that writing a strong and detailed system description provides your auditor with the full story of your system, and the more information he or she has from the outset, the better.
Do you feel more confident about describing your system in a SOC report?
Are you ready to tackle writing the description of your service organization’s system for your upcoming SOC report? It is an involved and complex process that many managers struggle with as they begin the SOC reporting process.
Our experienced SOC team of auditors can help you understand the complexities better and how you can create a top-notch system description that will satisfy the auditor and help you soar through your SOC examination.