Some service organizations struggle with determining the types of information to include in the system description of their SOC 1 report. A useful resource for ensuring that the system description includes all of the required components is AT-C Section 320: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AT-C 320). This is the authoritative standard that auditors must follow for SOC 1 reporting. AT-C 320 provides a list of criteria that must be addressed in the system description, which are described below.
According to AT-C 320, management’s description of the service organization’s system should present how the service organization’s system was designed and implemented, including the following information about the service organization’s system, if applicable:
- The types of services provided, including, as appropriate, the classes of transactions processed.
- The procedures, within both automated and manual systems, by which services are provided, including, as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports and other information prepared for user entities.
- The information used in the performance of the procedures, including, if applicable, related accounting records, whether electronic or manual, and supporting information involved in initiating, authorizing, recording, processing, and reporting transactions. This includes the correction of incorrect information and how information is transferred to the reports and other information prepared for user entities.
- How the service organization’s system captures and addresses significant events and conditions other than transactions.
- The process used to prepare reports and other information for user entities.
- Services performed by a subservice organization, if any, including whether the carve- out method or the inclusive method has been used in relation to them.
- The specified control objectives and controls designed to achieve those objectives, including, as applicable, complementary user entity controls and complementary subservice organization controls assumed in the design of the service organization’s controls.
- Other aspects of the service organization’s control environment, risk assessment process, information and communications (including the related business processes), control activities, and monitoring activities that are relevant to the services provided.
Conclusion:
If you are a service organization that receives a SOC 1 report, be sure to reference and use the criteria found in AT-C 320 so that your system description includes all of the necessary information. This will help ensure a smooth SOC 1 audit!