🇺🇸 Live Medical Devices & Diagnostics

AICPA Description Criteria for a Description of a Service Organization's System (DC Section 200, 2018/2022)

AICPA criteria for describing a service organisation system in SOC 1 and SOC 2 reports, covering system boundaries, controls, and complementary controls. Applies to service organisations and their auditors.

Rules extracted

Obligations decomposed

3.0x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

Obligations

3.0x

Decomposition ratio

Each rule is decomposed into an average of 3.0 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 27 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in AICPA DC Section 200 (SOC 2 Description Criteria) is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: AICPA Description Criteria for a Description of a Service Organization's System (DC Section 200, 2018/2022)
Regulatory body: American Institute of Certified Public Accountants
Jurisdiction: 🇺🇸 United States
Document type: standard
Effective date: January 1, 2022
Industry: Medical Devices & Diagnostics

Who this applies to

service organizationsSaaS providerscloud service providersdata centersmanaged service providerstechnology companiesfinancial services firms

Key requirements

9 Description Criteria (DC1-DC9)
Types of services provided (DC1)
Principal service commitments and system requirements (DC2)
System components: infrastructure, software, people, procedures, data (DC3)
System incidents from control failures (DC4)
Applicable trust services criteria and related controls (DC5)
Complementary user entity controls (DC6)
Subservice organization disclosures — inclusive and carve-out methods (DC7)
Non-relevant trust services criteria and reasons (DC8)
Significant changes during the period for type 2 (DC9)

Frequently asked questions about AICPA DC Section 200 (SOC 2 Description Criteria)

What is AICPA DC Section 200 (SOC 2 Description Criteria)?

Who does AICPA DC Section 200 (SOC 2 Description Criteria) apply to?

AICPA DC Section 200 (SOC 2 Description Criteria) applies to service organizations, SaaS providers, cloud service providers, data centers, managed service providers, technology companies, financial services firms.

How many obligations does AICPA DC Section 200 (SOC 2 Description Criteria) contain?

AuditDSS has decomposed AICPA DC Section 200 (SOC 2 Description Criteria) into 27 atomic obligations from 9 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of AICPA DC Section 200 (SOC 2 Description Criteria)?

The key requirements include: 9 Description Criteria (DC1-DC9), Types of services provided (DC1), Principal service commitments and system requirements (DC2), System components: infrastructure, software, people, procedures, data (DC3), System incidents from control failures (DC4), Applicable trust services criteria and related controls (DC5), Complementary user entity controls (DC6), Subservice organization disclosures — inclusive and carve-out methods (DC7), Non-relevant trust services criteria and reasons (DC8), Significant changes during the period for type 2 (DC9).

How can I assess my AICPA DC Section 200 (SOC 2 Description Criteria) compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 27 AICPA DC Section 200 (SOC 2 Description Criteria) obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces AICPA DC Section 200 (SOC 2 Description Criteria)?

AICPA DC Section 200 (SOC 2 Description Criteria) is enforced in United States by American Institute of Certified Public Accountants.

When did AICPA DC Section 200 (SOC 2 Description Criteria) come into effect?

AICPA DC Section 200 (SOC 2 Description Criteria) became effective on January 1, 2022.

What industry does AICPA DC Section 200 (SOC 2 Description Criteria) apply to?

AICPA DC Section 200 (SOC 2 Description Criteria) is primarily relevant to the Medical Devices & Diagnostics industry. AuditDSS covers 64 regulations in this industry sector.

Build a AICPA DC Section 200 (SOC 2 Description Criteria) compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for AICPA DC Section 200 (SOC 2 Description Criteria) — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering AICPA DC Section 200 (SOC 2 Description Criteria) requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine AICPA DC Section 200 (SOC 2 Description Criteria) with other regulations into a single unified compliance pack for your business.

Build AICPA DC Section 200 (SOC 2 Description Criteria) compliance pack

Already have a policy? Assess it against AICPA DC Section 200 (SOC 2 Description Criteria)

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 27 obligations

Your document is scored against every obligation in AICPA DC Section 200 (SOC 2 Description Criteria). Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.