What are the Components of Internal Control (CRIME)?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. It’s one of the most common models used to design, implement, maintain, and evaluate internal control. To have an effective system of internal control, the COSO framework requires that service organizations have the defined components of internal control present, functioning, and supporting business and internal control objectives. Control environment, risk assessment, information and communication, monitoring, and existing control activities make up the five components of internal control, known by the acronym of CRIME.

What are the components of CRIME and what do they mean for your organization?

  1. Control Environment: The first component of internal control is control environment. A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values. Is management committed to an effective system of internal control? Is there some type of team committed to internal auditing or compliance? How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness?
  1. Risk Assessment: Risk assessment is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control. Does the organization know where assets live? Does the organization assess risks that are a threat to the achievement of internal control objectives? Are controls fully understood? Are there tests performed to assess of control?
  1. Information and Communication: Quality information and effective communication among a service organization can impact meeting internal control objectives. When there’s a system change, how does management communicate that to internal employees and/or external users? What is the effectiveness of that communication?
  1. Monitoring: How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action?
  1. Existing Control Activities: The final component of internal control is existing control activities. This is the largest component, as it provides the details about the controls that you’ve put into place to meet your internal control objectives. Does the organization have documented policies and procedures? Is there a business continuity plan? Is there a change management program?

The five components of internal control function together to create an effective system of internal control. You must have a control environment to create a compliance culture within your organization. Once you have management’s support and influence, you can create a risk assessment process that identifies and manages risks that threaten the achievement of internal control objectives. You can then implement control activities that meet your internal control objectives and use effective communication to implement these processes throughout your organization. An ongoing monitoring program will keep your organization focused on meeting internal control objectives.

To learn more about how to implement the five components of internal control at your organization, contact us today.

In order to complete your SSAE 16 (recently updated to SSAE 18), you must have the five components of internal control present and functioning. These components are known by the acronym of CRIME. The first component is a control environment. How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness? The second component is risk assessment. Does the organization assess risks that are a threat to the achievement of your control objectives? The third component is information and communication. How does management communicate to your internal employees and your external users of your controls about any system changes or anything that might affect the use of the system that the service organization is offering. The fourth component is monitoring. How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action? The fifth component is existing control activities. This section of the SSAE 16 (recently updated to SSAE 18) is the largest, as it provides the detail about the controls that you’ve put into place to meet your control objectives.

What is the COSO Internal Control Framework?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. The COSO framework is one of the most common and important models used to design, implement, maintain, and evaluate internal control. It’s regarded as the definitive model against which organizations determine the effectiveness of their internal control.

The COSO framework was established in 1992, but updated in 2013 to address evolving technology, environments, governance, and regulations. SOC 1, 2, and 3 reports all have some type of inclusion of the COSO framework. The COSO internal control framework outlines objectives, components, and principles. What are the three objectives of COSO and why are they important?

What are the 3 Objectives of COSO?

What are the 3 Objectives of COSO?

Design, implement, maintain, and evaluate internal control – easy enough, right? There are a lot of elements that go into developing an effective system internal control. The COSO framework outlines three objectives, five components of internal control, and 17 principles related to internal control. The COSO framework defines internal control as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” The objectives of COSO integrated framework are at the very core of internal control.

What do the objectives of COSO mean for your organization?

  1. Operations – Are the controls that your organization has put into place been properly designed and are they operating effectively? Your clients are relying on those controls as you deliver your services to them. Are your organization’s operation procedures efficient? Are your operational and financial performance goals realistic? Do you safeguard assets against risk and loss? The operations objective is meant to focus on the effectiveness and efficiency of operations.
  2. Reporting – Are your reports reliable, timely, and transparent? What reports do your clients rely upon? Meeting the reporting objective is vital to meeting your clients’ goals and your obligations to them.
  3. Compliance – Which laws and regulations apply to you? The compliance objective ensures that you remain in compliance with the standards and regulations that your clients care about.

To learn more about the objectives of COSO and how the internal control framework functions within your SOC 1, 2, or 3 report, contact us today.

The framework that is utilized for the SSAE 18 (formerly SSAE 16) is known as the COSO Internal Control Framework. The first objective of this framework is operations. Are the controls that you’ve put into place properly designed and operating effectively? Your clients are relying on those controls as you deliver your services to them. The second objective is reporting. What reports do your clients rely upon in order to assure that your services are meeting their goals and your obligations to them? The third objective is compliance. Which laws and regulations apply to you so that you remain in compliance with those things that your clients care about?

SOC 2 FAQs

When a client pursues a SOC 2 audit for the first-time, they normally ask: What are the requirements of a SOC 2 audit? How are we going to be judged? What can I do to prepare? Which Trust Services Criteria should I select? KirkpatrickPrice strives to be your audit partner and will work with your organization to answer each of these SOC 2 FAQs.

Preparing for a SOC 2 Audit

One of the most common SOC 2 FAQs is: How should I be preparing for a SOC 2 audit? One of the best things to do when preparing for a SOC 2 audit is review the purpose of the final component of a SOC 2 audit report, which describes the controls in place to meet the Trust Services Criteria and describes the auditor’s test of controls to determine the effectiveness of the controls. Each category of the Trust Services Criteria has standards that you must meet to demonstrate your compliance. When preparing for a SOC 2 audit, your organization should go through these standards and review how you meet each one.

For example, the security principle requires that the entity, your organization, “has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” How would you organization review how you meet this standard?

The first element of this criteria is workforce conduct standards. An assessor would ask your organization questions like:

  • What are your workforce conduct standards? For many organizations, this will be a part of your employee handbook.
  • Do you have employees acknowledge the employee handbook?
  • Do you offer training to teach what your workforce conduct standards are?

The security principle criteria also specifies background screening procedures. To verify compliance with this criteria, an assessor would ask your organization questions like:

  • Do you have written policies and procedures? This may also be a part of your employee handbook.
  • Can we see evidence that background screening reports have been ordered? We want to ensure that when an organization says they’re doing background screening, they’re actually doing background screening.

The last element in this example is conducting enforcement procedures.

  • How do you enforce employee handbook standards that govern workplace conduct?
  • How do you enforce the policies and procedures relevant to background screening?
  • Do you communicate the consequences of violating these standards to your employees?

How would your organization prepare for a SOC 2 audit? Preparing for a SOC 2 audit requires many exercises in risk management, internal control review, and comparison with the Trust Services Criteria. To discover answers to more of your SOC 2 FAQs, contact us today.

Some of the SOC 2 FAQs that we receive from clients who contact us about a SOC 2 report are: what are the requirements? What do I need to do to prepare? How are we going to be judged against the standard?

The way that a SOC 2 audit report works is we will be looking at criteria. As part of the Trust Services Principles (recently updated to the 2017 Trust Services Criteria), each principle has criteria that you must meet to demonstrate that you have placed this criteria into operation in order to meet the purpose of the principle that’s being audited.

Let me give you an example of a criteria so this idea can start to take shape and you can picture what an audit might look like when working with us during a SOC 2 engagement. In the security principle, which is also referred to as the Common Criteria for SOC 2 audit reports, there’s criteria that states, “The entity has established workforce conduct standards, implemented workforce candidate background screenings procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to the applicable Trust Services Principles.” When we look at that criteria, we’re going to be asking you: What are your workforce conduct standards? For a lot of people, that will be contained within an employee handbook that governs the conduct standards that you have for your employees while they’re under your employment. Do you have them acknowledge the handbook? Do you do training in order for them to understand what the standards are? Those are the types of things that we would look at in order to determine whether or not the criteria are in place.

This piece of criteria also specifies background screening procedures. So, we would expect to see a procedure on that written out, usually part of an employee handbook. We would also want to see evidence that the background screening reports have been ordered and you’re actually doing that for any employee hired. We have encountered situations where an organization says that they’re doing background checks in accordance with the criteria, but then we see that they haven’t done the background checks. We need to see that the criteria has been met.

The last piece in this example I’ve given you is that you conduct enforcement procedures in order to enable your organization to meet its commitments. In other words, if you have an employee handbook that governs workplace conduct, if you have a policy that you must perform background checks when people are hired, how do you enforce that? How do you make sure that people are actually following the rules? We would ask you how you monitor that, if you address standards in performance reviews, and do you communicate to your employees that violation of those standards or background check requirements would result in some type of discipline up to termination.

This is an example of criteria and how you’d be able to demonstrate that you meet the criteria. That’s the type of thing to prepare for in your SOC 2 audit report.

What is a SOC 1 Report?

Has a prospect recently asked if your organization has a SOC 1 report? Has a top client requested that you begin completing annual SOC 1 audits? Meanwhile, you’re just wondering, what is a SOC 1 report? Does your service organization affect user organization’s financial reporting? A SOC 1 would apply to you. SOC 1 engagements are based on the SSAE 18 standard developed by the AICPA and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR). A SOC 1 report is the only type of SOC report that evaluates and tests financial reporting. Receiving a SOC 1 report establishes a greater level of trust with clients, gives your organization a competitive advantage, and shows your commitment to protecting sensitive information.

What are the 5 Components of a SOC 1 Report?

In a SOC 1 report, an independent auditor attests that management’s description of a service or system is suitably designed and that the controls are suitably designed in the attainment of the control objectives. SOC 1 reports issued by KirkpatrickPrice will contain a fair presentation and description of the internal controls within the scope of the audit. The controls described are only those that relate to a user organization’s ICFR, and to the services that service organizations provides to them. It will also describe the objectives of each control, whether the controls were suitably designed to achieve their objectives, and, for Type II audit engagements, whether the controls were operating effectively throughout the review period. A SOC 1 report also includes five major sections, which map with the five Committee of Sponsoring Organizations (COSO) components:

1. Control Environment

The control environment is the foundation for all other components of internal control. It sets the tone of an organization that influences the control consciousness of its people. In other words, it establishes the overall attitude, awareness, and actions of the board of directors, management, and employees concerning the importance and emphasis of internal control in the entity.

2. Risk Assessment

Risk assessment is not just the identification and evaluation of the significance of risk, but also involves how those risks are to be managed within your organization’s environment. COSO states that risks relevant to financial reporting include external and internal events that may occur and adversely affect the achievement of financial reporting objectives.

3. Control Activities

The policies and procedures established to provide reasonable assurance that management’s directives to mitigate risk are executed. Control activities may be preventative or detective, and include the traditional internal controls, such as processing, recording, approving, and reconciling transactions. They occur on a day-to-day routine basis throughout the organization and at all levels to record the transactions and events that create the financial statements. Controls fall into three categories: general controls, application controls, and physical controls.

4. Information and Communication

This refers to the identification, retention, and transfer of information in a timely manner enabling personnel to execute their responsibilities. The quality of information impacts management’s capacity to make decisions to direct the entity’s activities and prepare financial statements. Communication includes obtaining, providing, and sharing information, both internally and externally.

5. Monitoring

A process that evaluates whether each of the five internal control components, and the principles within each component, are present and functioning. The process may be achieved through separate evaluations or ongoing activities. Monitoring also includes initiating appropriate corrective actions.

A SOC 1 report provides an independent opinion on the establishment of effectively designed control objectives and control activities. A SOC 1 report is issued by a qualified, independent, certified public accounting firm. If you want to learn more about what it takes to complete a SOC 1 audit, contact us today.

More SOC 1 Resources 

Top 10 Things to Prepare You for Your SOC 1 Audit 

Everything You Need to Know About SOC 1 Audits 

3 Reasons to Stop Hesitating and Complete Your SOC 1 Audit 

An SSAE is a statement on standards for attestation engagements. These are technical pronouncements from the AICPA, which is the American Institute of Certified Public Accountants. The SSAE 18 (formerly SSAE 16) is specifically designed for service organizations. What the independent auditor is attesting to is that management’s description of the service or system that the users have access to is suitably designed and that the controls are suitably designed in the attainment of the control objectives. Also, for a Type II report, the auditor is attesting to the fact that the controls were operating effectively during the period.

The service organization receives a report from the independent auditor, and that report can be shared with their user organizations, as they would rely upon that during their audit, as they are concerned about internal control over financial reporting. An SSAE 18 is issued by a qualified, independent, certified public accounting firm.

Sampling During a SOC 1 Audit

When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling requires, “that the auditor use professional judgment in planning, performing, and evaluating a sample and in relating the evidential matter produced by the sample to other evidential matter when forming a conclusion about the related account balance or class of transactions.”

If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

When an auditor performs a test of control for an SSAE 16 (SOC 1) report, it may be appropriate to apply sampling. If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

An example of a population that would have to be tested would be new hire training forms, employee acknowledgements of certain policies and procedures, antivirus reports, or access control logs. These kinds of things are determined by what kind of sampling could be applied in those situations where it is appropriate to do so.