The Five Components of Internal Control: CRIME
The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.
- Control Environment: A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values.
- Risk Assessment: Accurately assessing, ranking, and mitigating risk is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control.
- Information and Communication: Quality information and effective communication within a service organization can impact meeting internal control objectives.
- Monitoring Activities: Service organizations must have effective monitoring activities to ensure the operating effectiveness of internal controls.
- Existing Control Activities: The final and largest component of internal control is existing control activities. This component includes the details about the controls that you have put into place to meet your internal control objectives.
Supplemental Criteria in SOC 2
The new SOC 2 reporting also describes specific control activities that go beyond the five basic COSO components that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. Supplemental criteria further the intent of COSO Principle 12, which says, “The entity deploys control activities through policies that establish what is expected and procedures that put polices into action.” The following supplemental criteria and can be found in TSP Section 100.05.
- Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
- System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
- Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
- Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.
More SOC 2 Resources
One of the major changes in the 2017 SOC 2 framework has to do with the inclusion of the 17 principles from the COSO Internal Control — Integrated Framework. You’ll know the COSO Internal Control Framework by the acronym CRIME. “C” stands for control environment, “R” stands for risk assessment, “I” stands for information and communication, “M” stands for monitoring activities, and “E” stands for existing controls.
You’ll notice in the SOC 2 framework that in addition to the 17 principles that are aligned with the internal control framework, you have supplemental criteria that deals with how those control activities are put into place to help the entity do what they do. These are things like logical access controls and physical access controls, system operations, change management, the things that you do to mitigate risk within your organization. This type of guidance on COSO, internal control, and supplemental criteria is included and provided in the SOC 2 Trust Services Criteria, and you can visit our Online Audit Manager to check out the resources that are there to help you understand these control activities that you should consider.