The Five Components of Internal Control: CRIME

The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.

  • Control Environment: A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values.
  • Risk Assessment: Accurately assessing, ranking, and mitigating risk  is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control.
  • Information and Communication: Quality information and effective communication within a service organization can impact meeting internal control objectives.
  • Monitoring Activities: Service organizations must have effective monitoring activities to ensure the operating effectiveness of internal controls.
  • Existing Control Activities: The final and largest component of internal control is existing control activities. This component includes the details about the controls that you have put into place to meet your internal control objectives.

Supplemental Criteria in SOC 2

The new SOC 2 reporting also describes specific control activities that go beyond the five basic COSO components that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. Supplemental criteria further the intent of COSO Principle 12, which says, “The entity deploys control activities through policies that establish what is expected and procedures that put polices into action.” The following supplemental criteria and can be found in TSP Section 100.05.

  • Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
  • System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
  • Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
  • Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

One of the major changes in the 2017 SOC 2 framework has to do with the inclusion of the 17 principles from the COSO Internal Control — Integrated Framework. You’ll know the COSO Internal Control Framework by the acronym CRIME. “C” stands for control environment, “R” stands for risk assessment, “I” stands for information and communication, “M” stands for monitoring activities, and “E” stands for existing controls.

You’ll notice in the SOC 2 framework that in addition to the 17 principles that are aligned with the internal control framework, you have supplemental criteria that deals with how those control activities are put into place to help the entity do what they do. These are things like logical access controls and physical access controls, system operations, change management, the things that you do to mitigate risk within your organization. This type of guidance on COSO, internal control, and supplemental criteria is included and provided in the SOC 2 Trust Services Criteria, and you can visit our Online Audit Manager to check out the resources that are there to help you understand these control activities that you should consider.

[/av_toggle]

[/av_toggle_container]

What are the Components of Internal Control (CRIME)?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. It’s one of the most common models used to design, implement, maintain, and evaluate internal control. To have an effective system of internal control, the COSO framework requires that service organizations have the defined components of internal control present, functioning, and supporting business and internal control objectives. Control environment, risk assessment, information and communication, monitoring, and existing control activities make up the five components of internal control, known by the acronym of CRIME.

What are the components of CRIME and what do they mean for your organization?

  1. Control Environment: The first component of internal control is control environment. A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values. Is management committed to an effective system of internal control? Is there some type of team committed to internal auditing or compliance? How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness?
  1. Risk Assessment: Risk assessment is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control. Does the organization know where assets live? Does the organization assess risks that are a threat to the achievement of internal control objectives? Are controls fully understood? Are there tests performed to assess of control?
  1. Information and Communication: Quality information and effective communication among a service organization can impact meeting internal control objectives. When there’s a system change, how does management communicate that to internal employees and/or external users? What is the effectiveness of that communication?
  1. Monitoring: How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action?
  1. Existing Control Activities: The final component of internal control is existing control activities. This is the largest component, as it provides the details about the controls that you’ve put into place to meet your internal control objectives. Does the organization have documented policies and procedures? Is there a business continuity plan? Is there a change management program?

The five components of internal control function together to create an effective system of internal control. You must have a control environment to create a compliance culture within your organization. Once you have management’s support and influence, you can create a risk assessment process that identifies and manages risks that threaten the achievement of internal control objectives. You can then implement control activities that meet your internal control objectives and use effective communication to implement these processes throughout your organization. An ongoing monitoring program will keep your organization focused on meeting internal control objectives.

To learn more about how to implement the five components of internal control at your organization, contact us today.

In order to complete your SSAE 16 (recently updated to SSAE 18), you must have the five components of internal control present and functioning. These components are known by the acronym of CRIME. The first component is a control environment. How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness? The second component is risk assessment. Does the organization assess risks that are a threat to the achievement of your control objectives? The third component is information and communication. How does management communicate to your internal employees and your external users of your controls about any system changes or anything that might affect the use of the system that the service organization is offering. The fourth component is monitoring. How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action? The fifth component is existing control activities. This section of the SSAE 16 (recently updated to SSAE 18) is the largest, as it provides the detail about the controls that you’ve put into place to meet your control objectives.