COMMITMENTS & SYSTEM REQUIREMENTS - THE KEY TO SOC 2

There's a ton of information out there about #soc2, so I won't get into "what is it?" (but feel free to message me if you do want to know more!)

Based on my previous post, I’m going to write a series of articles to break down some specific things that were revised/expanded/clarified/etc. in the 2022 AICPA SOC 2 guide.

I'm going to start with commitments and system requirements. Why??Because they are the core driver and most important aspect of everything (IMO) when it comes to SOC 2 reporting. The reason is they have a part in almost every part of the SOC 2 process. This goes from initial scoping all the way through to final reporting. Because of this, this article would be superfluous if it were to detail every aspect of commitments and system requirements in SOC 2. Therefore, I’ll keep this high-level here, but in future posts I may go into more detail on how commitments and system requirements relate to that specific topic.

To get technical for a minute (sorry), in the 2022 SOC 2 guide the AICPA shows us how to understand commitments and system requirements (paraphrased):

1. A service organization adopts a mission and vision, then establishes objectives to help meet that mission and vision. Services (and related systems) are designed (and implemented) by management to achieve objectives.
2. The services (and the systems used to deliver services) contain service commitments to customers (usually included in contracts, SLAs, MSAs, etc.). System requirements account for the functioning of systems used to deliver services. Embodied in these service commitments and system requirements are the company's objectives.
3. Controls for the system are designed to mitigate risks that would prevent the company from achieving objectives. (This is the basis for an organization's risk assessment)

So, what does that mean? Let’s use an example.?Your company provides a cloud-based software application to help customers organize personal documents in a virtual environment.?You want to make your customers’ lives easier and more organized at any point they choose by using your tool. Awesome mission and vision!

To help meet your mission & vision, in customer contracts you have language for “protection of customer data from unauthorized use or disclosure”. Your SLA states that the service “will be available 99.99% of the time in any given month”.?These are your objectives embedded in your documented commitments to customers.

Now, because you are a prestige worldwide caliber company, you?are subject to GDPR because you have customers in Europe. The system has to function in a way that meets the requirements of GDPR for your European customers - a system requirement.?(NOTE – I’m going to have a future article in more detail about other frameworks in relation to SOC 2)

From there, you develop controls that help mitigate the risks of not achieving your objectives. Unauthorized access? Implement MFA. System downtime??Redundancy through your cloud infrastructure provider. And so on.

Right off the bat, we see how big of an impact commitments and system requirements have on the control environment of your company itself, but what about the SOC 2 engagement? Here are a few bullets for greater depth of how they impact SOC 2 reporting:

• Commitments & system requirements determine the trust service categories in-scope for your SOC 2. The most relevant categories seen are security, availability, and confidentiality.?For example, if you don't process customer data, processing integrity would not be in-scope because you don't commit to complete, accurate, & timely processing of customer data.
• You measure your control environment based on the criteria for the categories in-scope.
• Your auditor determines if you meet commitments & system requirements (based on the criteria) by auditing the design & implementation of controls (type 1) and operational effectiveness of those controls over a period of time (type 2). This is also one of the primary basis of the auditor’s opinion!

Here is a visual of that flow down:

Now you have an idea of how important commitments and system requirements are to the SOC 2 effort as a whole.?But what else can they affect in SOC 2 engagements?

• Complementary Subservice Organization Controls (CSOCs) – the services provided by a subservice organization relate to how they help you meet your commitments and system requirements. This is also the driver for "vendor or subservice organization?" For example, as a SaaS application, you need a cloud infrastructure provider to help you meet the physical and environmental aspects of protection of customer data.
• Complementary User Entity Controls (CUECs) – see my other article here for more information!
• Reasonableness for a broad range of SOC 2 report users – normally SOC 2 reports are meant for a broad range of users, thus having a specific commitment (for example, for one customer you commit to 99.99% availability, but all others are 95%) wouldn’t be reasonable for the “normal” SOC 2.
• Whether a system event rises to the level of an incident requiring disclosure (DC4 of the system description) – if the incident caused you to fail to meet commitments or system requirements, it would be disclosed (and possible auditor opinion modification).
• Determination of materiality and risk of material misstatement for the audit.
• Auditor assessment of inherent and control risks for the engagement.
• Determination if controls operated effectively or not during audit testing – were commitments and system requirements achieved?
• Significant changes (DC9 of the system description) – you have to disclose changes that are significantly relevant to the commitments & system requirements.
• Testing controls by the auditor including the depth and extent of testing, and evaluating results and exceptions.
• Vendor management – risks related to using a vendor about achievement of commitments and system requirements.

There is so much more I could talk about, but let’s save it for more detail in future articles! As always, if you have any questions, need to bounce some ideas, or just want to chat, feel free to message me!