Proposed Revision of Criteria for a Description of a Service Organization's System in a SOC 2 Report

The system description of an SOC 2 report is the area in which the service organization details the system that is being assessed and the risks that are considered throughout the entire report. This section is essential to user entities, business partners and prospective user entities to help understand the system through which the services are provided.

To assess and address the risks associated with the service organization’s system, user entities and business partners require information about the service organization’s controls within the system through which the services are provided. Prospective user entities may also need and benefit from this same information to help make decisions about whether to outsource their own processes or functions to the service organization.

The AICPA is in the process of revising the AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing, Integrity, Confidentiality or Privacy (SOC 2). Currently, the criteria for a description of a service organization’s system in SOC2 reports is presented in paragraphs 1.26 and 1.27 (extant description). With forthcoming revisions, the description criteria will no longer be included in the body of the AICPA guide but will become a standalone document that the service auditor’s report will reference. This change is being made to improve the availability and ease of use of the criteria, as well as to permit the inclusion of additional guidance to assist service organization management with the preparation of the description. In addition, the changes will align the description criteria to the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017 trust services criteria) issued in April 2017 and increase the usefulness of SOC 2 reports for entities that undergo the AICPA’s SOC for Cybersecurity examination.

The following is a summary of the most significant changes to the extant description:

1. New disclosures about the service organization’s principal service commitments and system requirements: Service organizations will have to report to the service users their principal service commitments and system requirements.

2. New disclosures about certain incidents: The description may need to include disclosures for incidents identified during the reporting period or significant impairment of the service organization’s achievement of its service commitments and system requirements.

3. Additional implementation guidance in the description criteria: Implementation guidance is given for each criterion to assist service organization management in making decisions about the nature and extent of disclosures to include in the description.

4. Incorporation of privacy criteria and implementation guidance: The extant description criteria that presents the criteria relevant to privacy in a separate paragraph


(paragraph 1.27) of the AICPA Guide Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2) will no longer be necessary.

Organizations today are leveraging third parties to outsource many different types of services to help lower their own infrastructure and maintenance costs. With these additions to the description criteria, service users will see more transparency of the service organization’s systems and commitments in the SOC 2 for management and other relevant users to analyze and use in business decisions.

For more information, please contact Schneider Downs or visit the Our Thoughts On blog.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
AICPA Provides Guidance for COVID-19 Considerations in a SOC Examination
The Value of Business Process Analysis in your Succession Plan
Audit, SOC, Technology BY Troy Fine
Amazon Web Services (AWS) Best Practices For a Successful SOC 2 Examination
Audit, SOC, Technology BY Sara Hudak
SOC 2 + HITRUST vs. HITRUST Certified CSF reports - the Fundamentals

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102