In SOC 1 and SOC 2 audits, one of management’s primary responsibilities is to update their system description (often referred to as Section 3 of the SOC report) from the previous year. In the case of a first year SOC audit, management will be preparing the initial draft rather than updating the prior year system description. In either case, there are several reasons why it is important to work on the system description early in the SOC audit process:
- Updating the system description early helps ensure that draft and final reports are delivered according to the project timeline.
- The system description is the primary focus of the SOC audit and auditors are providing an opinion on the fair presentation of the system description. Therefore, the system description should be reviewed by management, updated and provided to auditors prior to the start of any audit fieldwork or control testing. This helps ensure an efficient and effective SOC audit.
- Obtaining updates to the system description late in the SOC audit cycle, especially those with respect to technical controls, can increase the risk that the timeline gets pushed back to allow time to test new controls described within the system description or updates to controls. This is because all controls described in the system description are required to be tested within Section 4. If the sections do not reconcile, then the system description is not fairly presented.
- If there are control design deficiencies, they can be identified and potentially corrected if system descriptions are updated early. The opportunities to correct deficiencies diminish the later that system descriptions are updated.
One common misconception is that since the system description is part of the SOC report, the auditor is responsible for preparing or updating it. The AICPA states in no uncertain terms that this is management’s responsibility and the auditor’s responsibility is to evaluate and opine on the fair presentation of the system description. But with that being said, once the system description is prepared or updated, auditors are able to provide valuable guidance on how to improve it and / or ensure that it addresses all of the applicable description criteria prescribed by the AICPA.