Updating the SOC 1 System Description
By: Sue Wells, Senior Consultant at A-LIGN
In preparation for a SOC 1 audit, a service organization’s management is required to provide a system description per the SSAE 16 auditing standards. Until recently, little guidance had been provided to assist service organization management in preparing the system description. In January 2014, the AICPA’s Information Management and Technology Assurance section issued the following whitepaper, “CPAs Guide to Developing the System Description for a SOC 1 Engagement.” To assist organizations with a suitable development of a system description for SOC 1 reports, we have created an outline to easily break down the AICPA’s new guide.
The Purpose of the SOC 1 Description
The primary purpose of a system description is to allow your client’s and their auditors to gain insight into your internal control environment; specifically, how your controls mitigate the risk of misstatements on your client’s financial statements. A system description should describe: what transactions take place; how data is entered into various systems used; what the outputs of that data are, and; what, if any, additional steps are taken to reduce specific risk for that particular company.
The system description is a critical part of a SOC 1 report, as management is required to sign an assertion letter and can be held accountable for the information provided in the system description. Management must ensure that the system description they have provided, fairly presents their system and was in place throughout the review period (Type 2 SOC 1 report) or on the review date (Type 1 SOC 1 report). If user auditors are relying on the SOC 1 report as part of their audits and some information is incorrect, it can impact the user organization’s internal controls over financial reporting and potentially lead to a misstatement within the user’s financial reporting. As an independent auditor, A-LIGN can assist clients in preparing their description and reviewing it against the AICPA guidance.
Define the Relevant Business Services
It is important for management to identify which services should be described in the system description. There are several areas where management can look to identify these relevant services and descriptive prose.
Review your Marketing Materials: the description must be fact-based and verifiable, so be sure to look at the marketing materials with an objective point of view.
Read the Contracts: review your contracts to determine what services are promised and how those deliverables impact your client’s internal control over financial reporting.
Talk to the Process Owners: identify the internal process owners who are knowledgeable regarding how clients are serviced. Product managers are often a great place to start, as they have a good working knowledge of how the various departments interact to provide the various parts of a service offering.
Talk to your Customers: speak to key customers to develop a greater understanding of what services are offered and how those services impact your client’s financial reporting.
Meet with Key Personnel: Managers should meet with personnel who are involved with processing client transactions to identify the types of data handled, how processes are performed and whether or not sub-service organizations (third party vendors) are used.
Documenting the Key Parts of the Business
The system description should include:
- Personnel responsible for using and operating the system.
- Procedures (both automated and manual) used to deliver services to clients.
- Accounting records involved in initiating, authorizing, recording, and processing user transactions and how this information is transferred to the reporting system.
- Technical descriptions of your system infrastructure (physical hardware components), software, and data should be addressed as well how the system captures and addresses events that are not transactions.
The AICPA has provided examples and guidance to give you a starting point.
Performing a Risk Assessment
A service organization’s management must identify the risks that errors and omissions in performing key business processes could lead a user organization to misstate something within its financial reporting. A-LIGN auditors can assist management in identifying relevant financial statement assertions such as completeness, accuracy or timeliness to assist management in performing a risk assessment.
Specifying the Control Objectives
Once management has an understanding of the risks within its business processes, the service organization can identify the control areas and related objectives to mitigate the risks identified. Key control activities would be identified to support the control that will be tested by the service auditor for the SSAE 16 audit.