Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.

Monitoring Internal Controls

When deciding who should be monitoring internal controls, the person selected needs to be someone who is outside of the environment and is not responsible for the internal control. For example, if a network administrator is responsible for ensuring that an internal control over the network they created is functioning correctly, that network administrator could miss critical vulnerabilities because they are working closely with the network on a regular basis. Similarly, having the person who is responsible for the control also monitoring the internal control could pose a potential opportunity for an employee to commit fraudulent behavior.

During the SOC 2 audit process, an auditor will verify that the correct personnel are tasked with monitoring internal controls. Auditors will want to see that organizations are conducting valid, accurate, and above-board evaluations of internal control, and organizations can do this by tasking the correct personnel with oversight. Think of it this way: why do organizations seek out third-party audit firms to conduct audits instead of solely relying on their internal audit team? For organizations who are serious about strengthening their security posture, using third-party audit firms helps them identify and mitigate vulnerabilities that otherwise may have been missed by their internal audit department. This is exactly what happens if a person who has created a network or system component is also responsible for monitoring it. To ensure the continuity of organizations’ security postures, it’s critical that the correct person is monitoring the internal controls.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When we talk about monitoring internal control, it’s very important to ask the question: is the right person monitoring the right thing? For example, if you have an IT function and the only person who is monitoring that IT function is the IT person who implemented it in the first place, then that isn’t a proper way to monitor that control. You have to have some method of evaluating the control and environment that is outside of the one person who is responsible for it. Penetration testing is a great example of this. A lot of times we find that the person who configured and implemented the system is also the person who hires, selects, and monitors the results of the penetration test, but you should ideally keep that separate so that you can have a valid, accurate, and above-board evaluation of a system when you choose to engage in a monitoring activity, such as penetration testing.

[/av_toggle]

[/av_toggle_container]

Common Criteria 4.1

When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations of internal control? Let’s find out.

Monitoring Internal Control for SOC 2 Compliance

Because every organization is different when it comes to monitoring activities, an auditor will seek to understand what the organization does and how they do it during a SOC 2 audit. Considering this, in order for an organization to demonstrate that they comply with common criteria 4.1, they’ll need to show that they are conducting evaluations of internal control, which should include:

  • Considering a mix of ongoing and separate evaluations
  • Considering the rate of change of business or business processes
  • Using the current internal control system to establish a baseline understanding for future evaluations
  • Using knowledgeable personnel to conduct the evaluations of internal control
  • Integrating the evaluations of internal control with business processes
  • Adjusting the scope and frequency of evaluations depending on risk
  • Ensuring that separate evaluations are conducted periodically to promote objectivity
  • Utilizing various types of evaluations of internal control (i.e. penetration testing, third-party assessments, or internal audits)

Auditors will also want organizations to explain how they conduct evaluations of internal control. For instance, this might be done by explaining to an auditor that your department heads receive reports biweekly while leadership and department heads meet monthly to review those reports to determine how the organization should implement changes. Essentially, having effective evaluations of internal control allows organizations to ensure that their internal controls are present and functioning, and if they aren’t, the evaluations of internal control will give insight into the vulnerabilities that need to be remediated.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

SOC 2 common criteria 4.1 (CC4.1) says that the entity has to select, develop, and perform ongoing and/or separate evaluations of their internal control functioning. Generically speaking, this is monitoring. How do you monitor the performance of your internal control within your organization? Do you have regular meetings and conversations with departments to look at the results that they’ve experienced? Do you have data that comes to you that has to be analyzed and reviewed in order to determine whether a system is operating the way it’s supposed to? Do you get output from the various technologies that you’ve put into place in order to identify if anything as changed or if a new threat has appeared? How do you monitor the overall functioning of your team? This means more than just the systems and processes, but also the people. Every organization is different when it comes to monitoring activities, so when we’re performing that audit, we’re seeking to understand what you do and how you do it. For example, we’d like for you to explain to us the meetings you have on a weekly basis, the reports that you review on a monthly basis, and the processes that are in place to help you make decisions or changes within the organization as you review data. We want you to help us understand your environment better, so that we can help guide you and help you understand whether or not your monitoring activities are compliant with common criteria 4.1.

[/av_toggle]

[/av_toggle_container]

The Importance of Teamwork During a Risk Assessment

During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk, but a risk assessment is not a one-man job. In order to get the most out of a risk assessment, more than just the IT department needs to be involved. Compliance, operations, and even the front desk receptionist and security guards could be involved in identifying, assessing, and mitigating risks. If just the IT department is involved, critical information could be left out of the risk assessment. For instance, there might be updated regulations or laws that an organization is required to adhere to, and if the compliance personnel doesn’t notify the IT team, the organization might be at risk for non-compliance. Likewise, let’s say that operations implemented a new product development process. If they aren’t involved in the risk assessment, who else will be able to explain the intricacies and potential vulnerabilities of the new process? If various departments aren’t involved in the risk assessment process, how will anyone know who should make updates to the risk assessment? Ultimately, utilizing teamwork during the risk assessment process allows organizations to identify risks that they may have otherwise missed, helping them increase the effectiveness of the risk assessment and strengthen their security posture.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the common findings that we have in an entity’s risk assessment is that it was just treated as something that they updated without much thought from the previous year, and they didn’t involve the appropriate members from the organization to contribute to the risk assessment process. It shouldn’t be something that just one person knows about, or one person completes, because you might be missing some very relevant intelligence from people who work at the warehouse or people who work in sales. The risk assessment involves not only people who work in IT, but also people who work in compliance, operations, or even the front desk receptionist. Consider how you can involve the most people in your organization in your risk assessment process, so that you can identify risks that you might not be aware of.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.4

When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.

Consider Organizational Changes in Your Risk Assessment

During the annual risk assessment review, organizations often say that they have not experienced any organizational changes since their last audit. While it’s true that organizations might not go through significant changes during the time between audit periods, such as an overhaul of leadership, laying off entire departments, or merging with another business, organizations will almost always experience some change. This is why it is so important that organizations are proactively assessing changes within their organization, no matter the size.

During a SOC 2 audit, an auditor will observe how an organization assesses changes within their organization. These organizational changes might include:

  • Changes to the external environment
  • Changes to the business model
  • Changes to leadership
  • Changes to the organization’s systems and technology
  • Changes to vendor and business partner relationships

For example, if leadership decides to adopt a new technology, how does that impact the organization’s system of internal control? What new risks does new technology add? Are new processes needed to monitor new technology? Do you know all of the resources available to effectively deal with the risks associated with new technology? Do you need to hire new employees to manage new technology? Adding something as simple or complex as new technology must be considered during an organization’s annual risk assessment. Organizations who fail in effectively assessing changes within their organization will be more at risk for data breaches and security incidents because they won’t have a cohesive understanding of the risks that could impact their system of internal control.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the things we do when we kick off an audit is ask, has anything changed within the last year? More often than not, it seems that people always answer that there have been no changes and that everything remains the same as the previous year. However, it’s really hard to not have any changes. When you start to look at it, it’s clear that there are changes, such as personnel, location, and technology changes. You have to consider all of those things in your risk assessment when it comes to changes that have affected your environment. Common criteria 3.4 (CC3.4) of the SOC 2 Trust Services Criteria requires that you take that into consideration in your own risk assessment. What are the things that have changed this year? What new risks could those introduce into the organization? Did you bring new technology in and haven’t yet learned how to monitor it yet? Do you know all of the resources available to effectively deal with the risks associated with new technology? What about personnel? If you add a new person to your leadership team who brings in a new perspective, what risks could a change in new ideas or personality present? Did you allow employees to work from home this last year or open a new satellite office? Any of those kinds of changes that you’ve introduced into your environment must be identified and considered, at a minimum, in your annual risk assessment.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.3

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.3 (CC3.3) states, “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” This means that organizations must consider how fraud can impact risk. What does an organization need to do to comply with common criteria 3.3? Let’s find out.

Assessing Opportunities for Fraud

As part of the risk assessment process, organizations need to assess opportunities for fraud within the organization so they can understand how fraud can impact risk. This includes not only the different types of fraud that might be committed, but also the incentives, pressures, attitudes, and rationalizations that could influence someone within the organization to commit fraud. During the SOC 2 audit, an auditor will verify that the entity has considered any type of fraud that could be committed, such as fraudulent reporting, corruption, or loss of assets. Similarly, an auditor will want to see that an organization is proactively assessing incentives and pressures to partake in fraudulent activities. For example, if an organization has a rigorous bonus program based on meeting certain objectives, how do they mitigate the potential for fraudulent behavior? If an employee commits fraud in order to receive their incentive bonus, what risks does that pose to the organization? Does the organization have a strict no-tolerance policy for fraudulent activities? How does management respond to employees committing fraud? Do they rationalize the behavior?

Think about it this way: what would be the impact to your organization if an employee accessed and stole sensitive data? What if an employee altered records to get ahead? Assessing opportunities for fraud is critical for all organizations and is a critical way that organizations will understand how fraud can impact risk. Employees are often viewed as the weakest security link, and this includes the risk that they will commit fraud. If you’re in the process of preparing for a SOC 2 audit, how are you assessing opportunities for fraud within your organization?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When pursuing compliance with common criteria 3.3 (CC3.3) in the SOC 2 Trust Services Criteria, you want to make sure in your risk assessment that you’ve considered the impact of fraud on your level of risk. For example, have you put too much emphasis on meeting the objectives of the organization? Is there an incentive or opportunity for an employee to commit fraud in order to meet that incentive? Do employees have attitudes and rationalized behaviors that have developed because they’re so concerned about meeting the incentive or receiving the potential reward for accomplishing their duties that they make the decision to use fraud to make it seem like they’ve done that? You need to incorporate this attitude and the potential for fraud to impact your organization as you assess your own risks.

[/av_toggle]

[/av_toggle_container]