Learn · SOC Reports
SOC 1 Description
Criteria
A question that trips up even experienced teams: which description criteria does a SOC 1 use? The answer — SOC 1 has no separately published criteria document. DC section 200 is SOC 2-only; SOC 1's description requirements live inside AT-C section 320 itself.
The one-line rule: DC 200 → SOC 2. AT-C 320 (¶.16–.17) + the AICPA SOC 1 Guide → SOC 1. If a SOC 1 assertion cites DC 200, something is off.
Plain-English explainer · Cites AT-C 320 & DC section 200 · Last reviewed July 2026
SOC 1 does not have a separately published description-criteria document. The AICPA’s DC section 200 applies to SOC 2 reports only. Every SOC report contains a “description of the service organization’s system” that management asserts is fairly presented — and that assertion has to point at criteria. For SOC 2, the AICPA published those criteria as a standalone document: DC section 200, the “2018 Description Criteria” (with revised implementation guidance issued in 2022), containing nine numbered criteria. For SOC 1, no equivalent document exists — and none is needed, because AT-C section 320 builds the description requirements directly into the standard (paragraphs .16–.17), with the AICPA’s SOC 1 Guide expanding on how to apply them. Same concept, different plumbing — and a reliable way to tell whether whoever drafted your report documents knows the difference.
Side by Side
SOC 1 vs SOC 2 Description Regimes
| SOC 1 | SOC 2 | |
|---|---|---|
| Where the criteria live | Inside the attestation standard itself — AT-C section 320 (paragraphs .16–.17) — supplemented by the AICPA SOC 1 Guide. | A separately published document: DC section 200, “2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report” (with revised implementation guidance, 2022). |
| What the controls are measured against | Control objectives specified by management, relevant to user entities’ financial reporting (ICFR). | The AICPA’s prescribed Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). |
| How the assertion refers to criteria | Management asserts the description is fairly presented based on the description criteria set out in AT-C 320 / the SOC 1 Guide (often restated in the assertion itself). | Management asserts the description is presented in accordance with DC section 200, cited by name. |
| Number of criteria | No numbered list — a set of required description elements (services, procedures, records, subservice organizations, control objectives, CUECs, and so on). | Nine numbered description criteria (DC1–DC9), each with implementation guidance. |
Practical Consequences
Why the Distinction Matters
- Drafting a SOC 1 description: work from the AT-C 320 element list (services, procedures, records, non-transaction events, reporting, subservice organizations, control objectives, CUECs, control environment) — not from DC1–DC9.
- Writing the management assertion: cite the AT-C 320-based criteria for SOC 1; cite DC section 200 for SOC 2. Mixing them up is a real finding we encounter in readiness reviews of template-drafted reports.
- Reading a report: the criteria named in the assertion tell you instantly which report type you are holding — useful when a vendor mislabels a SOC 2 as a “SOC 1” or vice versa.
- Dual-report programs (SOC 1 + SOC 2): expect to maintain two descriptions with different skeletons, even though large parts of the underlying system content overlap.
Description Criteria — Common Questions
Where each report type’s description requirements actually come from.
Does DC section 200 apply to SOC 1 reports?
No. DC section 200 — the AICPA’s “2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report” (with revised implementation guidance issued in 2022) — applies to SOC 2 engagements only. SOC 1 descriptions are prepared against the requirements embedded in AT-C section 320 and the guidance in the AICPA SOC 1 Guide.
So where are the SOC 1 description criteria located?
Inside the attestation standard itself. AT-C section 320 (paragraphs .16–.17) lists what management’s description of the system must cover — services and transaction classes, procedures, records, significant non-transaction events, report preparation, subservice organizations and the carve-out/inclusive choice, control objectives and controls, CUECs, and relevant control-environment components. The AICPA SOC 1 Guide expands on applying these, and management’s assertion typically restates them as the criteria used.
Why does SOC 2 get a separate criteria document but SOC 1 doesn’t?
Because of what the controls are measured against. SOC 2 evaluates controls against prescribed, framework-style Trust Services Criteria, so the AICPA published matching standalone description criteria (DC1–DC9). SOC 1’s subject matter is inherently entity-specific — management defines its own control objectives around its customers’ financial reporting — so the description requirements could be written once, generically, into AT-C 320.
What are the nine SOC 2 description criteria (DC1–DC9) at a high level?
At a high level, DC section 200 requires the SOC 2 description to cover: the types of services provided; the principal service commitments and system requirements; the components of the system (infrastructure, software, people, procedures, and data); significant system incidents that resulted from control failures; the applicable trust services criteria and related controls; complementary user entity controls; subservice organizations under the carve-out or inclusive method; any applicable trust services criteria deemed not relevant to the system; and, for Type 2 reports, significant changes to the system during the period. The exact text and implementation guidance are in the AICPA’s DC 200 publication.
What should the management assertion cite in each report?
In a SOC 2, management asserts the description is presented in accordance with DC section 200 and that controls meet the applicable Trust Services Criteria. In a SOC 1, management asserts the description is fairly presented based on the description criteria drawn from AT-C 320 (usually restated in the assertion) and that controls achieve the stated control objectives. The service auditor’s opinion mirrors the same criteria.
Related reading: the Learn hub, AT-C section 320 explained, CUECs & CSOCs, SOC 1 vs SOC 2, and our SOC 1 services guide. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours