The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.
Control Environment: A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values.
Risk Assessment: Accurately assessing, ranking, and mitigating risk is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control.
Information and Communication: Quality information and effective communication within a service organization can impact meeting internal control objectives.
Monitoring Activities: Service organizations must have effective monitoring activities to ensure the operating effectiveness of internal controls.
Existing Control Activities: The final and largest component of internal control is existing control activities. This component includes the details about the controls that you have put into place to meet your internal control objectives.
Supplemental Criteria in SOC 2
The new SOC 2 reporting also describes specific control activities that go beyond the five basic COSO components that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. Supplemental criteria further the intent of COSO Principle 12, which says, “The entity deploys control activities through policies that establish what is expected and procedures that put polices into action.” The following supplemental criteria and can be found in TSP Section 100.05.
Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.
One of the major changes in the 2017 SOC 2 framework has to do with the inclusion of the 17 principles from the COSO Internal Control — Integrated Framework. You’ll know the COSO Internal Control Framework by the acronym CRIME. “C” stands for control environment, “R” stands for risk assessment, “I” stands for information and communication, “M” stands for monitoring activities, and “E” stands for existing controls.
You’ll notice in the SOC 2 framework that in addition to the 17 principles that are aligned with the internal control framework, you have supplemental criteria that deals with how those control activities are put into place to help the entity do what they do. These are things like logical access controls and physical access controls, system operations, change management, the things that you do to mitigate risk within your organization. This type of guidance on COSO, internal control, and supplemental criteria is included and provided in the SOC 2 Trust Services Criteria, and you can visit our Online Audit Manager to check out the resources that are there to help you understand these control activities that you should consider.
What is a Point of Focus?
In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements because not all points of focus will be applicable to all organizations. These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.
Specific Points of Focus
For example, CC1.1, under the common criteria and COSO’s control environment component, states, “The entity demonstrates a commitment to integrity and ethical values.” The specific points of focus for this include the following:
Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
Considers Contractors and Vendor Employees in Demonstrating Its Commitment – Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.
Organizations pursuing SOC 2 compliance would then choose to follow the guidance of the points of focus that apply to them. This ensures that their controls demonstrate the organization’s commitment to integrity and ethical values.
One of the enhancements to the SOC 2 Trust Services Criteria in 2017 has to do with the inclusion of points of focus. The criteria now include points of focus, given by the AICPA, that really give you important characteristics about the criteria. These are not requirements; these are not things that you have to do, but they’re very helpful to reference. You can go into our Online Audit Manager and check out the resources in order to find these points of focus. One of the things that’s been very helpful about it is, many times in the SOC 2 criteria, you would read it and you wouldn’t really understand, at first glance, what it was talking about. The points of focus are there to help you understand the context of what the criteria is seeking to accomplish and how you might implement that within your own organization.
New Elements of SOC 2
In April 2017, the AICPA issued several updates to SOC 2 reporting. The most noticeable change is the revision from “Trust Services Principles and Criteria” to “Trust Services Criteria.” Other updates include points of focus, supplemental criteria, and the inclusion of the 17 principles from the 2013 COSO Internal Control Framework. Let’s take a look at how these principles will be used in a SOC 2 report.
Updates to the COSO Internal Control Framework
The COSO Internal Control Framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. While the five basic components of the COSO Internal Control Framework – control environment, risk assessment, control activities, information and communication, and monitoring activities – have not changed, the 17 principles of principles of internal control that are aligned with each of the five basic components. Additionally, there are now 81 points of focus across these 17 principles.
What are the 17 Principles of Internal Control?
The introduction of these 17 principles of internal control allow for organizations to have an explicit understanding of what each of the five basic COSO components requires, making it easier for organizations to apply them. Every organization pursuing a SOC 2 report, regardless of size, must demonstrate that each of the 17 principles of internal control are present, functioning, and operating in an integrated manner. An organization’s ability to satisfy each of the five components and their subsequent principles demonstrates that they have an effective system of internal controls. The 17 principles of internal control include:
The 17 internal control principles do not map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.
The AICPA issued new SOC 2 Trust Services Criteria in 2017. These criteria must be used for any reports issued after December 15, 2018. Until that date, you have the option of using the 2016 criteria or the 2017 criteria.
One of the big things that is new in the 2017 criteria is the inclusion of the 17 principles from the COSO Internal Control Framework. These 17 principles have to do with things dealing with governance of the organization, how you communicate issues to the employees within your organization, how you perform risk assessments, or how you monitor your controls.
You can reference some of our other materials on the COSO Internal Control Framework and also visit our web portal, where you can find resources on this topic.
What is the COSO Internal Control Framework?
The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. The COSO framework is one of the most common and important models used to design, implement, maintain, and evaluate internal control. It’s regarded as the definitive model against which organizations determine the effectiveness of their internal control.
The COSO framework was established in 1992, but updated in 2013 to address evolving technology, environments, governance, and regulations. SOC 1, 2, and 3 reports all have some type of inclusion of the COSO framework. The COSO internal control framework outlines objectives, components, and principles. What are the three objectives of COSO and why are they important?
What are the 3 Objectives of COSO?
Design, implement, maintain, and evaluate internal control – easy enough, right? There are a lot of elements that go into developing an effective system internal control. The COSO framework outlines three objectives, five components of internal control, and 17 principles related to internal control. The COSO framework defines internal control as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” The objectives of COSO integrated framework are at the very core of internal control.
Operations – Are the controls that your organization has put into place been properly designed and are they operating effectively? Your clients are relying on those controls as you deliver your services to them. Are your organization’s operation procedures efficient? Are your operational and financial performance goals realistic? Do you safeguard assets against risk and loss? The operations objective is meant to focus on the effectiveness and efficiency of operations.
Reporting – Are your reports reliable, timely, and transparent? What reports do your clients rely upon? Meeting the reporting objective is vital to meeting your clients’ goals and your obligations to them.
Compliance – Which laws and regulations apply to you? The compliance objective ensures that you remain in compliance with the standards and regulations that your clients care about.
To learn more about the objectives of COSO and how the internal control framework functions within your SOC 1, 2, or 3 report, contact us today.
The framework that is utilized for the SSAE 18 (formerly SSAE 16) is known as the COSO Internal Control Framework. The first objective of this framework is operations. Are the controls that you’ve put into place properly designed and operating effectively? Your clients are relying on those controls as you deliver your services to them. The second objective is reporting. What reports do your clients rely upon in order to assure that your services are meeting their goals and your obligations to them? The third objective is compliance. Which laws and regulations apply to you so that you remain in compliance with those things that your clients care about?