📄

SOC 2 System Description Generator

Section 3 of your SOC 2 report — the System Description

SOC 2 Type I & IIAICPA TSCPre-Audit

What is a SOC 2 System Description?

Section 3 (the System Description) is the longest and most detailed part of every SOC 2 report. It describes the system under audit — its boundaries, infrastructure, data flows, and controls. Auditors use it to scope their testing. Enterprise prospects read it to evaluate your security posture. This generator drafts a comprehensive Section 3 starting point that maps to AICPA DC Section 200.

Company & Audit Info→

System Components & Controls

Company / Organisation Name *

Company Website

Country / Jurisdiction *

Team Size

Audit Type *

SOC 2 Type I — Design effectiveness (point in time)SOC 2 Type II — Operating effectiveness (period of time)Bridge Letter — Covers gap between annual Type II reports

Audit Period Start

Audit Period End

Auditor / CPA Firm Name (if known)

System Name (as it will appear in the report) *

What does the system do? (1–2 sentences) *

Additional System Context (optional)

Trust Service Criteria in Scope *

Security (CC) — Required for all SOC 2 reportsAvailability (A) — System accessible as committedConfidentiality (C) — Confidential information protectedProcessing Integrity (PI) — Complete, valid, accurate processingPrivacy (P) — Personal information collected per AICPA privacy principles