In January 2014, the AICPA released a new whitepaper, CPAs Guide to Developing the System Description for a SOC 1 Engagement. The document provides important guidance for service organizations undergoing a SSAE 16 SOC 1 audit. As part of the preparation process, a service organization is required to provide to auditors a system description highlighting key aspects of the internal controls structure. Until recently this was a challenge for many because of the lack of guidance on how to approach the task.
The whitepaper provides management with key information needed to develop the system description. To help our clients, prospects and others understand the process; Holtzman Partners has provided a summary of the key points below.
Developing the System Description
Below is a list of the key sections discussed in the whitepaper that outlines the keys steps in the thought process management can use when developing the system description. These include:
- Purpose of the Description– The purpose of the description is to provide auditors with an understanding of the overall organization, with a focus on internal controls. The description should be specific enough that auditors can identify and assess the risks of material misstatement in the financial statement, and design procedures to test each risk area. It’s important to note there is no particular form of system description prescribed other than it should be clear and easy to understand.
- Purpose of Management Assertion– This provides an assertion that the system description fairly presents the organization’s internal controls structure. It also asserts the controls stated in the description were suitably designed to achieve stated objectives.
- Define Services Included & Define Relevant Control Objectives – It’s important to identify the services which will be covered and not covered by the system description and in the auditor’s report. Accurately identifying the scope is the key to ensuring only the essential services and matching systems are examined. To uncover essential services, the AICPA recommends reviewing marketing materials, contracts, and meeting with process owners, customers and key service personnel to understand how their internal controls are impacted. More insights obtained in this phase will result in both a more accurate system description and more valuable audit.
- Document Entity Level Control Components – Once the engagement scope is determined, the next step is to document each aspect of the entity level components of internal control. This should include control environment, information and communication, monitoring and risk assessment. Management can get additional information from company policies and procedures, Audit and other board committee minutes and enterprise risk management documentation. Once compiled, management can sort the information and match it to the internal control components in simple and direct language.
- Document Key System Elements – When the entity level control components have been described, management should then create a description of key system elements including how the system was designed and implemented. Below is a summary list of items that should be considered including a list of employees involved in system use and operation, process by which services are provided including how transactions are initiated, authorized, recorded, processed and corrected when necessary. Also consider a description of technical components which can include infrastructure, software and system data, process used to prepare reports, and other aspects of the control environment, risk assessment, and monitoring activities relevant to the services provided. As the information gathering process develops, management should take note of changes in the system and controls that occurred during the examination period and document them within the system description. Remember, it’s important to provide a detailed description of the system so that it includes the full lifecycle of transaction processing and critical details are not omitted.
- Document Key Complementary User–Entity Controls (CUECs) – Complementary User Entity Controls (CUECs) are controls identified in the service organization’s system description that user entities must implement in order for certain control objectives to be met. To the extent user entities are provided with access to the service organization’s system, there would be controls in place to ensure access to authorized employees and revocation of terminated employees’ access. These controls should be identified as CUECS at the end of the system description.
- Document Subservice Organizations – In developing the system description it’s important to outline the services provided by any subservice organizations. By identifying the services provided by subservice organizations, management will have a clear understanding of the control activities performed by these subservice organizations.
- Specifying Control Objectives– The system description should also include the system control objectives and the controls designed to accomplish the stated objectives. When determining control objectives, management should consider the risks within their system of services and how it may impact their customer’s internal controls structure.
Additional Points to Consider
There are other items management may want to consider when going through the above mentioned steps. These include:
- Seeking Auditor Assistance – While the audit firm is required to maintain independence from management they are permitted to provide guidance and assistance in certain aspects of document development. As a result, management should feel free to reach out to the audit firm to ask questions and solicit feedback. Oftentimes audit firms will provide an additional perspective that management had not considered.
- Description Format – Remember that the more informative the system description is the better. For this reason it is recommended that management include narratives, flow charts, tables and graphs to clearly illustrate system functionality.
- Timing – It’s important to complete the service description as soon as the SOC1 engagement is initiated.Delays in providing this needed document to the audit team will draw out the process and make it more difficult to meet benchmarks.