Using a SOC Report to Evaluate a Service Organization: Part 3 – How do I review the system description?

Author picture By

This is a continuation of our Using a SOC Report to Evaluate a Service Organization series. In these articles we will delve further into the components of SOC reports. As a reminder, the components of a SOC report are included below. In this article we will discuss what to look for when reviewing the system description included in the report.

Components of a SOC report

The components of a SOC report that you should review closely, which each provide specific information to support vendor due diligence, include:

  • The service auditors’ report
  • Management’s assertion
  • The content of the description, including either
    • The control objectives specified by management (SOC 1); or
    • The trust services categories selected by management (SOC 2)
    • Any complementary user entity controls (CUECs) or complementary subservice organization controls (CSOCs) specified in the report, which are included as part of the description
  • The results of the service auditors’ testing
  • Other information presented by the service organization

The Content of the Description

The description of the service organization’s system contains important information relating to the key processes and controls in place at the service organization. The description also includes the control objectives specified by management (SOC 1) or the trust services categories selected by management (SOC 2) as well as any CUECs or CSOCs specified by the service organization.

Understanding the content of and how to navigate the description of service organization in a SOC report can assist you in finding the information that is of particular interest to your organization. When reviewing the report, you should review the description to gain an understanding of how the service organization’s system operates, how information is handled or processed, how access to and changes within the system are controlled, and whether there are controls that should be considered at either the user organization or other involved service organizations. You should also determine if the description includes information that you need; any information gaps may require additional follow up with the service organization. The sections below provide additional details on the components of the SOC report description.

SOC 1

The description of the service organization’s system should include the following:

  • The related accounting records and supporting information involved in initiating, authorizing, recording, processing, and reporting transactions
  • How the system captures and addresses significant events and conditions other than transactions
  • The process used to prepare reports and other information for user entities
  • Relevant details of changes to the service organization’s system during the period (type 2)*
  • The control objectives specified by management and the related controls designed to achieve those control objectives

SOC 2

The description of the service organization’s system should meet the Description Criteria and include the following:

  • The types of services provided
  • The principal service commitments and system requirements
  • The components of the system used to provide the services
    • Infrastructure
    • Software
    • People
    • Procedures
    • Data
  • The boundaries or aspects of the system covered by the description
  • Third-party access to the system and its data
  • The nature, timing, and extent of identified incidents that
    • were the result of controls that were not suitably designed or operating effectively
    • otherwise resulted in a significant failure in the achievement of any service commitments and system requirements, as of the date of the description (type 1)* or during the period covered by the description (type 2)*
  • Any applicable trust services criteria that are not addressed by a control and the reasons
  • Relevant details of changes to the service organization’s system during the period (type 2)*
  • The applicable trust services criteria and the related controls designed to meet those criteria, including aspects of the overall control environment

 *Note: we covered the difference between type 1 reports and type 2 reports in our previous article about the service auditors’ opinion and management’s assertion.

CUECs

CUECs are controls that management of the service organization assumes will be implemented by user entities as necessary to achieve the user entities’ control objectives or applicable trust services criteria. The CUECs presented in the report should be reviewed for relevance to your organization, and to the extent they are applicable, you should determine whether your organization has the necessary controls in place to complement the service organization’s controls relevant to its control objectives or applicable trust services criteria. CUECs are presented for a broad range of user entities and not all CUECs may be applicable to all user entities of the system.

CSOCs

When applicable, the description should include information about any subservice organizations utilized by the service organization including:

  • What is the relationship between the service organization and the subservice organization – is it a third-party or related to the service organization?
  • How is the service organization presented in the report – is it carved-out or inclusive?
  • What is the oversight of the service organization to the subservice organization – how is the service organization monitoring that controls are present and operating at the subservice organization?
  • Are there any controls that the service organization assumes are implemented by the subservice organization (CSOCs)?

CSOCs are controls that management of the service organization assumes, in the design of the service organization’s system, will be implemented by the subservice organizations and are necessary to achieve the control objectives or applicable trust services criteria stated in management’s description of the service organization’s system. The CSOCs presented in the report should be reviewed for relevance to the service organization’s control objectives or applicable trust services criteria. As a downstream user organization of your service organization’s subservice organization, a determination should be made if the controls performed by the subservice organization are considered significant. If so, you should consider requesting a copy of the subservice organization’s SOC report(s) and including it in your due diligence review process.

We hope this article helps you identify the information you should be looking for within the system description section of your service organization’s SOC report.

Look forward to additional articles delving deeper into the final components of a SOC report to come!

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.