By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Prior to engaging a CPA firm to perform your SOC audit, service organization management must create two key documents that need to be furnished to the auditor: Management’s description of the system and the control matrix.
Note that these two documents are not the only documents that will be provided to the auditor. During the audit fieldwork, the auditor will request many documents.
SOC Audit Required Document – Management’s Description
Management’s description is a narrative document that provides details on the service organization’s system. In this context the system is not an individual computer system. Rather, the system are the processes and controls that allow management to achieve its service commitments and other objectives related to Security, Availability, Processing Integrity, Confidentiality, and Privacy. In various AICPA guidance, it is referred to as a system of internal control.
Management’s Description is provided to the auditor at the start of the engagement, and if processes change during the course of the engagement, updated versions should be provided to the service organization auditor.
In the final SOC 2 report, Management’s Description is incorporated into Section III.
Although the AICPA has not specified a format for the Description, the AICPA has prescribed minimum information that needs to be included in the description. Additionally, we have seen patterns emerge among the Descriptions in the numerous service organization SOC audits we’ve examined over the years. The outline below presents a combination of the requirements of a SOC 2 description and an organizational structure we see regularly in descriptions.
- System Overview
a. Service Provided – A description of the key service(s) that the service organization provides to its customers
- Principal Service Commitments and System Requirements
a. Service Commitments – The key commitments made to customers.
b. System Requirements – The key requirements of the system necessary to meet those requirements
- Components of the System
- Incident Disclosure – If it impacted the controls or service commitments
- Criterion Disclosure – Specific enumeration of which Trust Services Criteria (TSC) are applicable to the description. This will always include Security, and may include Availability, Processing Integrity, Confidentiality, and/or Privacy depending on the service commitments to the clients.
- Complimentary User Entity Controls – A disclosure to the service organization’s customers that enumerates controls for which they are responsible. For example, a service organization provides a software-as-a-service (SaaS), it is generally the user entity (the customer) who grants and removes their own employee access.
- Subservice Organizations – A disclosure indicating which controls at subservice organizations are key to management’s control objectives and service commitments. For example, a service organization that provides a SaaS would likely identify the company that manages the datacenter, identifying their responsibilities of physical access controls and environmental controls within the datacenter.
- Criteria Not Applicable – There is a rebuttable presumption that all criteria in the relevant TSC sections are applicable. If any are not applicable, this portion of the description is the location to disclose that information.
- Changes to the System During the Period – A disclosure of material changes to the system of internal controls during the period being audited.
Depending on the complexity of the system being described, the length of the description can vary greatly from one SOC report to the next. For example, we’ve seen very large and complex service organizations with descriptions approaching 60 pages. Yet, for other organizations that would also be regarded as large, we typically see them approaching 20 pages. Generally, it is going to be difficult for service descriptions to adequately describe their system in less than 10 pages.
SOC Audit Required Document – Control Matrix
Organizations also need to provide their auditors a control matrix. This is generally a spreadsheet that outlines the specific controls that relate to the criteria. It will generally be structured with the following columns:
- Control Number – A reference number that identifies the individual control
- Control Activity – The language used to describe what actually occurs in a control
- Control Owner – The individual(s) responsible for performing the control. This is who the auditor will meet with to perform their walk-through testing.
- Risk Level – A risk level, (Low, Moderate, High) assessed by the organization. Risk is generally determined by considering the impact and likelihood of a control failure.
- Criteria Reference – The TSC criteria that the control satisfies
The service organization auditor will spend most of their engagement testing the controls identified in the control matrix by working with the control owners during walk-throughs and testing sample documentation for each control.
Complex organizations can have upwards of 100 controls; however, most SOC 2 control matrices that we see for small and midsize service organizations that we see, however, contain between 55 and 75 controls.
Service organization auditors will expect you to provide to them two key documents: the Description of the System and the Control Matrix. Crafting these documents is no easy task, and auditors have specific expectations regarding how they should be written and worded. It is tempting to try to save costs by doing it yourself, but just as you wouldn’t write a legal filing without an attorney, you shouldn’t write a Description and Control Matrix without the assistance of a knowledgeable professional.
Keiter provides SOC Exam and Exam Readiness Services for all types of SOC exams. Our SOC services are provided by our Risk Advisory Services Team, which is led by experienced CPAs, CISAs, and technology professionals with industry experience. Our Risk Advisory Teams services a variety of industries and business types.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.