Common Criteria 1.4

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.

Attracting, Developing, and Retaining Competent Employees

During a SOC 2 audit, service organizations must demonstrate that their internal controls are in place and operating effectively, and this will not be possible if the organization does not have competent employees. In order to attract such employees, organizations can begin with their job descriptions and job postings. Ensuring that job descriptions accurately portray the qualities and characteristics needed to successfully fulfill positions is crucial. For example, if an organization is looking to fill a role that requires strong attention to detail, this needs to be explicitly stated. Organizations that fail to effectively communicate the job requirements could end up hiring unfit candidates, which would waste resources and hinder the organization’s ability to meet their objectives.

Developing employees is another key component in ensuring that an organization has competent employees. This can be done through various ways: the on-boarding process, requiring continuing education courses, security awareness training, annual team meetings, weekly or monthly department calls, or one-on-one meetings with a supervisor. How can your employee expect to grow within your company? How will you retain employees? Do you offer a growth or success plan? Do you meet with individual employees on an annual basis to conduct performance reviews? If an organization wants to retain employees, they’ll need to give them a clear path on how they can grow with the organization.

Without attracting, developing, and retaining competent employees, organizations will have a greater risk for vulnerabilities or potential breaches. It’s paramount that entities find candidates that are the right fit for an organization and that they continue to develop the right kind of employees, so that the organization can continue to meet its objectives.

More SOC 2 Resources

Click here to view more videos from our SOC 2 Academy series

Click here to view all of our SOC 2 videos

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.4 (CC 1.4) in the Trust Services Criteria is about hiring the best talent to come into your organization and help you meet your objectives. How do you attract, retain, and develop the best employees? Do you have job postings and job descriptions in order to help people understand what your requirements are for the position? Do you have training programs to help people understand what it is that they’re supposed to do to be successful in your organization? Do you provide that instruction through policies, procedures, and other materials that you may provide to employees on a day-to-day basis? Do you have succession or growth plans to help people grow into different positions within your organization? Have you implemented a performance management program in order to help people identify areas where they can improve but also address deficiencies in an individual’s performance? All of these things are very important to have in order to help you be able to review your employees’ performance and also evaluate their technical competency, and make sure that before you bring them on board, they’re the right fit for your organization to help you meet your objectives.

[/av_toggle]

[/av_toggle_container]

Common Criteria 1.3

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.3 (CC1.3) states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Let’s discuss at how organizations can go about defining the responsibilities of employees and what auditors will be looking for.

Establishing Oversight, Reporting Lines, and Responsibilities

When employees have multiple roles and responsibilities, it can lead to confusion and miscommunication. Defining the responsibilities of employees by establishing oversight, reporting lines, and designating appropriate authorities are key ways that an organization can ensure that it is resolving this confusion and creates an effective organizational structure to complete business processes. Employees who have a clear understanding of their role and responsibilities, who they report to, and how they fit into the larger company dynamic are more likely to work more efficiently with their colleagues and avoid miscommunication. If a problem arises, an employee won’t waste time trying to figure out who they need to alert because they’ll know exactly who they need to tell the problem to. It is especially important for service organization’s management to establish and maintain a cohesive environment, because if a vulnerability is discovered or a breach occurs, those vulnerabilities can be effectively communicated and mitigated.

During a SOC 2 audit, an auditor will reference several documents to ensure that common criteria 1.3 is met. For example, an auditor might use a company’s organizational chart as evidence to understand who reports to who and which responsibilities belong to which employees. An organizational chart acts as a key piece of evidence that a service organization’s management is defining the responsibilities of employees because it visually represents an entire organization. In addition to this, an auditor will verify that an organization has well-documented policies and procedures that explain the organization’s structure, reporting lines, and roles and responsibilities.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.3 (CC1.3) has to do with the board defining responsibilities for management. Have reporting lines been established? Has a structure been put into place? Because an auditor will look at your organizational chart as evidence to understand who reports to who, and what responsibilities have been given to those charged with day-to-day duties.

[/av_toggle]

[/av_toggle_container]

business people walking

Common Criteria 1.2

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.2 states, “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” Let’s take a look at how boards of directors can demonstrate independence from management and some exceptions to the requirement.

Maintaining Independence from Management

The purpose of a board of directors is to ensure that a service organization’s business objectives are met, to determine if the interests of the entity’s stakeholders and shareholders are considered, to verify that policies and procedures are upheld, and to provide oversight and management of the organization. In order to fulfill each of these roles, the board of directors must demonstrate an independence from management, which means that board members who have ties to an organization could potentially hinder this independence from being possible. For example, if a board member has charitable ties to a service organization, they might be swayed to vote in a certain direction regarding the company’s financial performance to ensure that they still receive their charitable donations that quarter. Another example might be if a board member is a former executive of a company. If the company is looking to merge with another entity, that board member might have ulterior motives for not wanting to proceed with the merger.

During a SOC 2 audit, an auditor will look to ensure that the service organization’s board contains members that are objective and who can independently oversee what the organization is doing. If a service organization is looking to comply with various regulatory rules, multiple audits, or is having their information security systems tested, auditors will want to verify that the board is involved with those processes. Service organizations with a board of directors that show little involvement in such engagements set off a red flag to auditors; there should at least be reporting that’s going to the board to inform them of what’s occurring within the organization to ensure that they can perform proper oversight and governance.

Exceptions to the Rule

When clients engage us for a SOC 2 audit, we are often asked, “What if our organization doesn’t have a formal board of directors?” During the SOC 2 audit process, our Information Security Specialists will take this into consideration depending on the size and complexity of the service organization. Perhaps the service organization is a small, family-owned business who has one individual acting as both the CEO and the board. The auditor would be concerned about assessing the people who have a vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.2 (CC1.2) in the SOC 2 Trust Services Criteria has to do with the board demonstrating independence from management and overseeing the activities of the organization. As an auditor, we’re going to look for a board that contains members that are objective and who can independently oversee what the organization is doing. If you are seeking to comply with various regulatory rules, if you are conducting audits, if you are concerned about information security, which involves IT, the board can’t be separate from that. They can’t say that they don’t have anything to do with that. There should at least be reporting that’s going to the board to inform them of what’s occurring, so that they can perform the proper oversight and governance for your entity. One of the common questions that we get is “What if our organization doesn’t have a formal board of directors?” Maybe there is just one owner, or it’s a small organization, and it’s a family owned business, and the board is really the CEO and the CFO, or maybe it’s just one individual who is the owner of the organization. That’s okay in this situation because when you look at things from the size and complexity of your organization, if you’re structured in that way, when we ask you questions about the board of directors, we’re really just referring to ownership—the people who have the vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.

 

[/av_toggle]

[/av_toggle_container]

Common Criteria 1.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.

Tone from the Top

It’s critical for any organization, regardless of industry or size, to set a tone for compliance by starting at the top of the organization. When the leadership team, management, senior executives, stakeholders, and/or board of directors support compliance efforts, this establishes a foundation for compliance and employees are much more likely to follow suit. During a SOC 2 audit, an auditor will interview and observe employees to determine if this tone for compliance has been instilled in the company culture and will consider questions, such as:

  • What is management doing to show their commitment to integrity and ethical values?
  • What is the culture of the company like?
  • What kind of business reputation does the organization have?
  • Do employees know what kind of behavior is expected of them?

Testing for Integrity in a SOC 2 Audit

When an auditor evaluates a service organization’s integrity and ethical values during a SOC 2 audit, they’ll do so by ensuring that there are written policies and procedures, as well as interviewing and observing employees and the workplace environment. Having a formally documented set of policies and procedures allows auditors to see that there is an established standard that organization must adhere to. Auditors want to see that the organization has created and implemented a code of conduct and a code of ethics and is actively working to ensure that such policies and procedures are followed. Auditors will look to ensure that these documents have been reviewed with employees – whether through the on-boarding process or as part of annual training programs – and has a required signature and acknowledgement from employees stating the they understand what standards they are expected to follow. Auditors also want to verify that the organization has policies and procedures regarding how to handle misconduct and unethical behavior and will interview management to confirm that such processes are being followed.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Let’s start right at the top of the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 (CC1.1) has to do with the entity demonstrating a commitment to integrity and ethical values. How does a company demonstrate this? There’s a tone within the organization. You can tell it when you visit a company, when you talk to the people that work there, when you do business with them. Do they care about ethics? How do we as an auditor audit that an organization has integrity? Well, first of all, we would look for a written standard of conduct. Does the organization have a code of conduct? Do they have a code of ethics? Do they require their employees to sign and acknowledge that they understand what standards that the organization has for them? Also, when we interview members of management, that’s one of the things that the auditor is looking for. Does this organization require this level of behavior and if someone deviates from that, do they identify it and correct it? This is something that you should consider within your own organization as you seek to demonstrate your own commitment to integrity and ethical values.

[/av_toggle]

[/av_toggle_container]

The Five Components of Internal Control: CRIME

The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.

  • Control Environment: A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values.
  • Risk Assessment: Accurately assessing, ranking, and mitigating risk  is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control.
  • Information and Communication: Quality information and effective communication within a service organization can impact meeting internal control objectives.
  • Monitoring Activities: Service organizations must have effective monitoring activities to ensure the operating effectiveness of internal controls.
  • Existing Control Activities: The final and largest component of internal control is existing control activities. This component includes the details about the controls that you have put into place to meet your internal control objectives.

Supplemental Criteria in SOC 2

The new SOC 2 reporting also describes specific control activities that go beyond the five basic COSO components that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. Supplemental criteria further the intent of COSO Principle 12, which says, “The entity deploys control activities through policies that establish what is expected and procedures that put polices into action.” The following supplemental criteria and can be found in TSP Section 100.05.

  • Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
  • System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
  • Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
  • Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

One of the major changes in the 2017 SOC 2 framework has to do with the inclusion of the 17 principles from the COSO Internal Control — Integrated Framework. You’ll know the COSO Internal Control Framework by the acronym CRIME. “C” stands for control environment, “R” stands for risk assessment, “I” stands for information and communication, “M” stands for monitoring activities, and “E” stands for existing controls.

You’ll notice in the SOC 2 framework that in addition to the 17 principles that are aligned with the internal control framework, you have supplemental criteria that deals with how those control activities are put into place to help the entity do what they do. These are things like logical access controls and physical access controls, system operations, change management, the things that you do to mitigate risk within your organization. This type of guidance on COSO, internal control, and supplemental criteria is included and provided in the SOC 2 Trust Services Criteria, and you can visit our Online Audit Manager to check out the resources that are there to help you understand these control activities that you should consider.

[/av_toggle]

[/av_toggle_container]