Skip to main contentChat with us

Learn · Attestation Standards

What Is
AT-C 320?

AT-C section 320 is the part of the AICPA's clarified attestation standards under which every SOC 1 examination is performed. It defines what management's description of the system must contain, how control objectives are specified, and what the service auditor's opinion covers.

Full title: “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting” — introduced by SSAE 18, effective May 1, 2017, and still the operative SOC 1 section today.

3layers: AT-C 105 · 205 · 320
9system-description elements
500+audits delivered by TCSA

Plain-English explainer · Cites the AICPA attestation standards · Last reviewed July 2026

AT-C section 320 is the AICPA attestation section that governs SOC 1 examinations. It was created when SSAE 18 recodified the US attestation standards into “AT-C” sections in 2017, and it is still the operative section for SOC 1 today — later standards (SSAE 21, SSAE 23) amended the layers underneath it without replacing it. “AT-C” simply distinguishes the clarified sections from the older “AT” codification. A SOC 1 engagement never runs on AT-C 320 alone: it sits on top of AT-C 105 (concepts common to all attestation engagements) and AT-C 205 (assertion-based examinations), with AT-C 320 adding the service-organization-specific requirements. Its international sibling is ISAE 3402 — reports issued outside the US are frequently dual-badged “SSAE 18 / ISAE 3402”.

Where It Sits

The Three-Layer Architecture

The clarified attestation standards are modular. Understanding the layers explains why “is SSAE 18 still current?” has a subtler answer than yes or no — amendments land layer by layer.

AT-C 105 — Concepts Common to All Attestation Engagements

The foundation layer: independence, professional skepticism, engagement acceptance, and quality requirements that apply to every attestation engagement. Amended most recently by SSAE 23 (effective December 2025) to align with the AICPA’s quality-management standards.

AT-C 205 — Assertion-Based Examination Engagements

The examination layer: how a CPA examines subject matter against criteria when management provides a written assertion. SSAE 21 (effective June 2022) superseded the original SSAE 18 version of this section. SOC 1 and SOC 2 are both assertion-based examinations.

AT-C 320 — Controls at a Service Organization Relevant to ICFR

The SOC 1-specific layer: subject-matter requirements for examining controls relevant to user entities’ internal control over financial reporting — the system description, management-defined control objectives, and the form of the service auditor’s report.

SOC 2, by contrast, uses AT-C 105 + AT-C 205 plus the AICPA’s Trust Services Criteria and the DC section 200 description criteria — there is no “AT-C 320 for SOC 2”. That asymmetry is why SOC 1 has no separate description-criteria document: its description requirements live inside AT-C 320 itself.

The System Description

What Management’s Description Must Contain

AT-C 320 (paragraphs .16–.17) sets the minimum elements of management’s description of the service organization’s system — the criteria the service auditor evaluates the description against. Paraphrased, the description must cover:

  • The types of services provided, including, as appropriate, the classes of transactions processed.
  • The procedures — automated and manual — by which services are provided, from transaction initiation and authorization through recording, processing, correction, and reporting.
  • The related accounting records and supporting information involved in initiating, recording, processing, and reporting transactions.
  • How the system captures and addresses significant events and conditions other than transactions (for example, system failures or data-conversion events).
  • The process used to prepare reports and other information for user entities.
  • The services performed by subservice organizations, and whether they are treated under the carve-out or the inclusive method.
  • The specified control objectives and the controls designed to achieve them.
  • Complementary user entity controls (CUECs) — and, where a carve-out applies, the complementary subservice organization controls (CSOCs) — assumed in the design of the controls.
  • Other relevant aspects of the control environment, risk assessment process, information and communications, control activities, and monitoring that support the stated control objectives.

For a Type 2 report, the description must also cover relevant changes to the system during the examination period. The description doesn’t have to disclose every procedural detail — but it must not omit or distort information relevant to the user entities’ financial-reporting controls it serves.

Control Objectives & the Opinion

Management Defines, the Auditor Opines

The most misunderstood feature of SOC 1: the control objectives are specified by management, not prescribed by the AICPA. There is no master checklist. Management states objectives that are reasonable, complete, and relevant to the ways its services affect user entities’ internal control over financial reporting — typically spanning transaction processing, logical access, change management, data integrity, and monitoring — and the service auditor evaluates whether those objectives are suitable before testing anything. This is the opposite of SOC 2, where the AICPA’s Trust Services Criteria are fixed and management maps controls to them.

AT-C 320 also requires a written management assertion — management asserting that the description is fairly presented, the controls were suitably designed, and (for Type 2) operated effectively. Without the assertion, the CPA cannot issue the report. The resulting opinion covers: (1) whether the description is fairly presented, (2) whether controls were suitably designed to achieve the stated objectives, and for a Type 2, (3) whether they operated effectively over the period, with the auditor’s tests and results described. SOC 1 reports are restricted-use: written for user entities, their financial-statement auditors, and management — not for public distribution.

AT-C 320 — Common Questions

How the standard behind SOC 1 actually works.

What is AT-C section 320?

AT-C section 320 — “Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting” — is the section of the AICPA’s clarified attestation standards under which SOC 1 examinations are performed. It was introduced by SSAE 18 (effective May 1, 2017) and prescribes the system description, management-defined control objectives, the management assertion, and the form of the service auditor’s report.

Is AT-C 320 the same as SSAE 18?

AT-C 320 is one section of the codification SSAE 18 created. SSAE 18 recodified all US attestation standards into AT-C sections (105, 205, 210, 215, 320, and others). So “an SSAE 18 report” and “an AT-C 320 examination” usually refer to the same SOC 1 engagement — SSAE 18 is the statement, AT-C 320 is the codified section a SOC 1 is actually performed under.

What sections do a SOC 1 examination actually follow?

Three layers together: AT-C 105 (concepts common to all attestation engagements), AT-C 205 (assertion-based examination engagements — the version revised by SSAE 21, effective June 2022), and AT-C 320 (the SOC 1-specific requirements). Later amendments such as SSAE 23 (quality management, effective December 2025) landed in the common layers without changing AT-C 320’s SOC 1 requirements.

What must the SOC 1 system description include under AT-C 320?

AT-C 320 requires management’s description to cover, at minimum: the services and transaction classes; the procedures from initiation to reporting; the related records; how significant non-transaction events are handled; report preparation; subservice organizations and the carve-out/inclusive choice; the control objectives and controls; complementary user entity controls (CUECs); and the relevant control-environment, risk-assessment, information/communication, and monitoring aspects. Type 2 descriptions also cover significant changes during the period.

Who defines the control objectives in a SOC 1?

Management of the service organization. Unlike SOC 2 — where the AICPA’s Trust Services Criteria are prescribed — SOC 1 control objectives are specified by management to reflect how its services affect customers’ financial reporting, and the service auditor evaluates whether they are reasonable, complete, and relevant (then tests the controls against them).

What is the difference between AT-C 320 and ISAE 3402?

AT-C 320 is the US (AICPA) standard; ISAE 3402 is the IAASB’s international equivalent for assurance reports on controls at service organizations. The engagements are conceptually aligned — many service organizations obtain a single examination badged “SSAE 18 / ISAE 3402” so the report is usable by both US and international user auditors.

Related reading: the Learn hub, SSAE 18 vs SSAE 21 (which standard is current), CUECs & CSOCs, SOC 1 description criteria, and our SOC 1 services guide. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations