Exposure Draft Issued on SOC 2 Description Criteria

August 1, 2017

As a result of its decision to publish a standalone document describing a service organization’s system, the American Institute of Certified Public Accountants (“AICPA”) recently issued the exposure draft, Proposed Revision of Description Criteria for a Description of a Service Organization’s System in a SOC 2(R) Report.

The proposed revision of the SOC 2 description criteria will be separate from the AICPA Guide, Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®), and codified in AICPA Professional Standards as measurement criteria. Also, additions to future Guide revisions will feature passages from the description criteria.

Some of the more significant updates to the description criteria include new disclosures on the service organization’s principal service commitments and system requirements, as well as incidents that resulted in a key impairment of a company’s success of its service commitments and system requirements. Additional implementation guidance is also offered in the description criteria.

Comments on the exposure draft are due Thursday, September 7.