When issuing a SOC 1 report, the system description is the basis for the controls that the auditors test.
Preparing and reviewing the system description with key stakeholders, including members of management, IT, HR, and in-house council, is a beneficial exercise for SOC 1 preparation. The sooner a review is performed, the sooner the benefits of the review can be realized.
Benefits to the service organization / audit include:
- Awareness of the SOC 1 subject matter by key stakeholders, management, legal and other interested parties.
- Identification of any necessary scope, control objective, control activity or other report changes that should be reflected in the current year report.
- Consideration of issues identified in prior year reports (as applicable) and the impact of these issues on the system description.
- Identification and addition of user entity control considerations and non-key controls to the system description.
- Improvement of the usability and clarity of the system description.