SOC 2 system description template

SOC 2 System Description & Management Assertion Template

A structured starting point for Section III and the management assertion, designed to surface missing boundaries, responsibilities, and evidence before review.

Use the reviewable outline below before deciding whether to start a guided workflow.

What this template helps you prepare

A SOC 2 system description is the narrative of the service organization and system that the engagement will examine. This template separates the description from the management assertion so a reviewer can check that both documents use the same scope, criteria, and period.

Use it to organize real inputs from architecture, service, security, and operations owners. It is not a substitute for the AICPA criteria, professional judgment, or your service auditor’s requirements.

Section III system description template outline

SectionIncludeReviewer should confirm
Company and servicesLegal entity, service description, intended users, and principal commitmentsServices and commitments match contracts, customer materials, and engagement scope.
Trust Services scopeSecurity plus any applicable Availability, Processing Integrity, Confidentiality, or Privacy categoriesEach selected category is supported by the system and control narrative.
SCSRPrincipal service commitments paired with the technical or operational requirements that fulfil themA promise such as uptime is paired with the requirements and controls that support it.
Five system componentsInfrastructure, software, people, procedures, and dataEvery component is described consistently with current architecture and operations.
BoundariesIn-scope and out-of-scope services, systems, locations, and teamsBoundaries are specific enough to prevent accidental scope expansion or omission.
Subservice organizationsProvider, service, carved-out or inclusive method, and relevant complementary controlsThe method is explicit and related CSOCs are documented where needed.
CUECsSpecific actions user entities must performEach CUEC is actionable, relevant to the service, and not generic advice.
Control environmentGovernance, risk assessment, communication, monitoring, and controls mapped to the selected criteriaControl statements agree with the rest of the description and supporting evidence.

Management assertion checklist

Assertion elementIncludeConsistency check
System identificationThe same organization and system named in the descriptionEntity, service, and scope match Section III.
Fair-presentation assertionA separate assertion about fair presentation under the applicable description criteriaIt refers to the correct description and criteria.
Control assertionA separate assertion about suitable design for Type I, or design and operating effectiveness for Type IIThe language matches the engagement type and agreed dates.
Criteria and periodApplicable Trust Services Criteria and a specific date or periodDates and categories match the engagement and system description.
Signature blockResponsible management signatory and dateAuthority and timing meet the organization’s and auditor’s process.

Ready to turn this outline into a working draft?

Start the system description workflow

Start with your real inputs. Rakenne guides the draft and checks its workflow rules; your qualified reviewer remains responsible for the final document.

Information to gather before drafting

  • Proposed Type I or Type II engagement, including the as-of date or period to be reviewed.
  • Architecture diagrams, data flows, service commitments, SLAs, and current descriptions of the service.
  • The five system components: infrastructure, software, people, procedures, and data.
  • System boundaries, locations, in-scope teams, subprocessors, and whether each subservice organization is carved out or inclusive.
  • Candidate CUECs, CSOCs, policies, control records, and the owner who can verify each statement.

Checks to run, and what they do not decide

The matching workflow checks the working description for required sections such as services, SCSR, components, boundaries, subservice organizations, CUECs, CSOCs, and control environment coverage. It also checks that Security is in scope and that the selected Trust Services categories have supporting control-environment content.

Those checks identify omissions in a drafting workflow. They do not establish that a description is fairly presented, that controls are operating effectively, or that an assertion is appropriate. Management, the control owners, and qualified SOC 2 professionals remain responsible for those determinations.

Common review questions

How detailed should the system boundary be?

It should let a reviewer understand what is in and out without relying on assumptions. Name the relevant services, systems, locations, data, and organizational responsibilities; avoid a boundary statement that simply says “our production environment.”

What makes a CUEC actionable?

It tells the user entity what to do, for whom, and in what circumstance. For example, requiring administrative MFA and timely deprovisioning is more reviewable than advising users to “maintain good security.”

Can the same outline be used for Type I and Type II?

The structural sections are similar, but the control assertion and period must match the engagement. Confirm the final wording and dates with the service auditor before signing an assertion.

Ready to let your expertise drive the workflow?

Stop wrestling with rigid templates and generic chatbots. Describe your process, let the agent handle the rest.

Get Started Free — No Sign-Up