What are Control Objectives?

Control objectives are statements that address how risk is going to be effectively managed by an organization, and your auditor will be validating whether or not your organization meets these control objectives during a SOC 1 audit. The AICPA requires that the description of the service organization’s systems includes specific control objectives and controls designed to achieve those objectives, and control objectives are typically presented in a matrix format.

During the scoping phase of a SOC 1 audit, you and your auditor will choose around 10-30 control objectives to be included in the audit. Determining the best control objectives for your organization is crucial for ensuring that you get the most out of your audit, which is why organizations need to partner with senior-level expert information security specialists who can assist in writing the control objectives to make sure that they’re presented reasonably.

Achievement of Your Control Objectives

Identifying risks that threaten the achievement of your control objectives and implementing related controls is a major component of a SOC 1 audit. When going through a SOC 1 audit, control objectives help to ensure that organizations’ internal control is — and remains — strong. If one of your control objectives is, “Our controls provide reasonable assurance that we restrict unauthorized access to our critical systems,” then you would need to implement controls to ensure that this objective was met. To validate this control objective, your auditor might verify that you have controls in place such as locked doors, badges, monitoring systems, and logical access controls.

Part of the terminology that you will hear over and over again in your audit is called control objectives. These are the objectives that your organization is trying to achieve. Let me give you an example of one: ‘Our controls provide reasonable assurance that we are preventing unauthorized access to sensitive information.’ The controls that you put into place have to be designed with the achievement of your control objectives in mind, so they would be things like locked doors, video monitoring, security guards, logical access controls, visitor badges, sign ins, those kinds of things. The auditor would review and test those controls to make sure they are achieving the objective that you set out to do. In your report, you’ll have from anywhere between 10 and 30 control objectives. Your auditor can help you write those control objectives and make sure they’re reasonably presented because, ultimately, an opinion will be issued about whether or not the controls you put into place are operating effectively and achieving the control objectives.

What is Management’s Written Assertion?

At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management’s written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate. For an auditor to be able to perform a SOC 1 or SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management’s written assertion.

The AICPA defines an assertion as any declaration or set of declarations about whether the subject matter is in accordance with, or based on, the criteria. The AICPA also lays out three functions of management’s written assertion:

  • Addresses whether the description of the service organization’s system is presented in accordance with the description criteria
  • Addresses whether the controls stated in the description were suitably designed
  • Addresses whether the controls, during a Type II engagement, were operating effectively

Testing an Assertion

Throughout the SOC 1 or SOC 2 audit process, an auditor will review an organization’s internal controls, culminating in a final audit report wherein the auditor’s opinion is based on whether or not the assertion was fairly presented. This means that when an organization provides their assertion to their auditor, it needs to be as accurate as possible. For example, if your organization provides an assertion that states your employees are regularly trained and tested on cybersecurity best practices, you need to be able to show an auditor that this training does occur so that the auditor can validate that this claim is accurate.

One of the things that management has to provide to their auditor is an assertion. The assertion is a written document that provides a description of the system and what it is that the service is expected to accomplish for the user organization.  The assertion is a detailed description of how the system is designed and how it’s supposed to operate. This assertion has to be received by the auditor and our opinion is based on whether or not the assertion is fairly presented.