Robert Ramsay – CPA, CISA, CITP, HITRUST CCSFP
Bryan Gayhart – CPA, CISA, HITRUST CCSFP
Robert Ramsay: Thanks for joining us on our DIY series. This little episode is talking about description criteria. There are
multiple requirements for these SOC reports, but a big area is the description criteria.
Bryan Gayhart: And so the AICPA, they have defined the description criteria, and they’ve given us the headlines or the
categories that we need. But what’s my next step in addressing those?
Robert Ramsay: Yeah, good question. And we have included them. So click on the link below, and you can get a copy of
all nine with the definitions and everything. But what we wanted to mention today is if you copy that and are able to read it and go through it, and especially if you have an example of another SOC report from a vendor of yours maybe, you can see these criteria and how they are disclosed. It’s often called section three, the system description, and it’s a verbose listing of how your service is offered and includes these criteria. And if you’re able to draft a good bit of that with your team, you’ll save a lot of time and energy when the CPAs show up to work on the SOC report.