Common Criteria 2.2

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss communicating with internal parties during an audit.

Communicating with Internal Parties During an Audit

During a SOC 2 audit, an auditor wants to see healthy internal communication. Any employee responsible for the functionality of internal controls must be involved in the audit process and understand how to communicate any issues. This means that board of directors, C-level executives, directors, IT staff, and other personnel are engaged and willing to communicate issues that are discovered and need to be remediated.

The audit process can be tedious, and it can be even more difficult if involved parties aren’t communicating effectively. For example, if a C-level executive is not involved in the audit process or doesn’t want to hear information about vulnerabilities found, this sets off a red flag for an auditor. How could a CEO possibly know what’s going on with their information systems if she’s not communicating with internal parties? How could this CEO make sure that the organization’s internal controls are operating effectively? What would happen if an IT staff member found a vulnerability, but didn’t know how to notify their CTO? When it comes to how to communicating with internal parties during an audit, organizations ultimately need to demonstrate that there is a culture of free-flowing communication throughout the company. To comply with common criteria 2.2, an auditor will want to verify that there are established channels for communication so that all parties are able to relay information in a timely manner and are working together to ensure that the internal controls are in place and operating effectively.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When we are auditing how an entity internally communicates, we’re really looking to make sure that there is a healthy understanding of the things that need to be communicated back and forth between management and those who are responsible for making sure that the controls are operating effectively. I’ll give a really great example that I saw one time. The CEO of an organization, on a weekly basis, made sure that he visited the cubicles of each employee in order to tell them about the security concerns that he had and make sure the employees knew about their role in making sure that the company met its compliance objectives. There was a very healthy understanding of what the expectations were and everybody knew that the CEO really cared about the issue. The flip side of that was one time when I went into a CEO’s office in order to talk about the compliance and information security issues that we were identifying in the audit, and he did not want to have the conversation. He asked for us to just talk to the IT department; he didn’t want to know anything about it. There was a separation there between those charged with governance and what was actually happening on the ground, and you’ve got to have that free-flowing communication. I think the question you should ask yourself is: If I have an employee knows of a problem, does that employee feel free to come and talk to somebody who is at a C-level, or maybe even submit something for the board to be concerned about and consider? Do they feel the empowerment in order to bring that to our attention?

[/av_toggle]

[/av_toggle_container]

Common Criteria 2.2

Communication is one of the underpinnings of meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” For any type of organization to operate efficiently, there needs to be established avenues of communication for all employees. How will an employee know who to report an issue to if they are unaware about who should receive such information? How does an organization’s management relay expectations or concerns to their employees? During a SOC 2 audit, demonstrating that an organization effectively communicates is especially important. Let’s discuss the importance of two-way communication.

The Importance of Two-Way Communication

In order for an organization to demonstrate compliance with common criteria 2.2, there needs to be a clear process for two-way communication. The board of directors, C-level executives, or management must be able to clearly communicate the roles, responsibilities, expectations, and concerns to each other and their employees. If an organization’s objectives are not being met, how will the board of directors communicate this with management? If an issue arises within an organization, how will employees be addressed? If an employee is not meeting management’s expectations, how will this be communicated? Management might have bi-annual meetings with the board of directors, they might opt to send out a company-wide newsletter to keep employees current on developments within an organization, or they might prefer weekly department calls.

On the other hand, while management and the board of directors should have clear communication channels to their employees, there also needs to be defined mechanisms for employees to safely communicate with their superiors. For example, a whistleblower hotline would serve as a safe mode of communication for an employee who has discovered wrongdoings within a company. Hotlines allow employees to communicate issues to management without fear and can empower employees to communicate issues more promptly. Regardless of the communication channels put into place, an organization must provide clearly defined avenues for two-way communication so that the board of directors receives the information it needs to ensure the organization is meeting its objectives, and employees can understand what they’re expected to do.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

You may not realize how important communication is to SOC 2 compliance. Communication is really one of the underpinnings on meeting the requirements within the SOC 2 Trust Services Criteria. Common criteria 2.2 talks about having two-way communication within your entity. For example, the board of directors or the C-level management should be providing communication to the rest of the employees, so that they understand what is expected of them and what is required to meet the objectives they set forth for the organization. But also, employees need an avenue or mechanism to report issues up to the board. Maybe this takes place in weekly or monthly reports that are included in the board of director’s meeting minutes; maybe it’s a whistleblower hotline. So, if someone sees something that isn’t working the way that it’s supposed to, they have a way to get that information to the board. Whatever mechanism you choose to put into place, it just needs to provide that type of visibility so that the board is receiving the information that it needs and employees understand what they’re being expected to do.

[/av_toggle]

[/av_toggle_container]

Common Criteria 2.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.1 states, “The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.” Let’s discuss why it’s important that service organizations demonstrate that they are making informed decisions during their SOC 2 audit.

Making Informed Decisions

How can an organization’s management implement or make changes to their internal controls without accurate resources and information? What would be the impact to the integrity of internal controls if management relied on inaccurate information? During a SOC 2 audit, an auditor will assess whether an organization’s management utilizes resources that provide them with accurate and timely information to ensure that internal controls are in place and functioning properly. Such information assists management in making the day-to-day decisions that allows an organization to run efficiently. Without it, vulnerabilities could be missed, and breaches would be more likely to occur. So, how can management ensure that they are making informed decisions?

Weekly management meetings are a great place to start. Having a dedicated time each week where an organization’s department heads come together with reports from their respective departments, discuss their findings, and come up with solutions collectively helps ensure that an organization’s management team is making informed decisions. In order for the department heads to come up with such reports, though, each department must have an understanding of what information is needed to help management make informed decisions about the functionality of those internal controls. For example, if your Chief Technology Officer needs to make a decision about the internal controls relating to the physical security of a building, what information do they need? Who would give it to them? These kinds of processes must be implemented and maintained so that management has the ability to make informed decisions.

More SOC 2 Resources

Click here to view more videos from our SOC 2 Academy series

Click here to view all of our SOC 2 videos

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

How does your organization obtain and use relevant and quality information to make the day-to-day decisions that you need to in order to make sure your organization is effectively running? Common criteria 2.1 (CC2.1) of the SOC 2 Trust Services Criteria speaks exactly to how you find these sources of information and use them in the day-to-day decisions that management needs to make. For example, you might have weekly management meetings, or you might receive reports from different department heads that might give you statistics and results that you can then use as a whole in order to make those decisions and find areas that need to be corrected or areas that are performing as you expected.

[/av_toggle]

[/av_toggle_container]

Common Criteria 1.5

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.5 (CC1.5) states, “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” What do organizations need to do to demonstrate that they are holding employees accountable? Organizations can implement accountability measures through positive and punitive reinforcements, but what does that look like? Let’s discuss.

Positive Reinforcements in the Workplace

In order to ensure that an organization’s internal controls are in place and operating effectively, the personnel responsible for those internal controls must be held accountable. Instituting positive reinforcements in the workplace is one way that organizations can be sure that they are holding employees accountable. Incentives, such as bonuses or additional vacation time, or even public praises of appreciation can go a long way for an organization. When employees are recognized or rewarded for their hard work, they will be more likely to be accountable. Using positive reinforcements helps set the tone in an organization for accountability and will empower an organization’s employees to want to meet the expectations set for them.

Punitive Reinforcements in the Workplace

Though some might feel that punishing employees is not as effective as using positive reinforcements, when it comes to holding employees accountable, taking punitive measures can be necessary. For example, if you have an employee who is constantly missing deadlines, they should be reprimanded in some way, such as a one-on-one meeting with a supervisor or a written warning. If an employee tasked with physical security internal controls forgets to lock up the office, there needs to be some disciplinary measure taken. By avoiding punitive reinforcements altogether, an organization’s employees might not think management takes misbehavior or negligence seriously. Holding employees accountable might result in terminating a few employees, but it will set the tone for compliance and accountability for the rest of the organization.

More SOC 2 Resources

Click here to view more videos from our SOC 2 Academy series

Click here to view all of our SOC 2 videos

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

SOC 2 common criteria 1.5 (CC1.5) says that the entity has to hold individuals accountable for their internal control responsibilities. Accountability can be achieved positively or punitively. On the positive side, you could put rewards and incentives into place. When you catch somebody doing the right thing, when they achieve the objectives that you’ve set out for them, they should be held up as an example for the rest of the organization to see. When you have someone who breaks the rules and perhaps doesn’t live up to the requirements that you have, you should have some type of disciplinary measure, so that the organization knows that you are taking that seriously and that someone will be held accountable or perhaps even terminated if they don’t follow through with their internal control responsibilities.

[/av_toggle]

[/av_toggle_container]

Common Criteria 1.4

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the SOC 2 Trust Services Criteria. Common criteria 1.4 says that an organization must demonstrate a commitment to attracting, developing, and retaining competent employees in alignment with objectives. How can organizations do this? Let’s discuss.

Attracting, Developing, and Retaining Competent Employees

During a SOC 2 audit, service organizations must demonstrate that their internal controls are in place and operating effectively, and this will not be possible if the organization does not have competent employees. In order to attract such employees, organizations can begin with their job descriptions and job postings. Ensuring that job descriptions accurately portray the qualities and characteristics needed to successfully fulfill positions is crucial. For example, if an organization is looking to fill a role that requires strong attention to detail, this needs to be explicitly stated. Organizations that fail to effectively communicate the job requirements could end up hiring unfit candidates, which would waste resources and hinder the organization’s ability to meet their objectives.

Developing employees is another key component in ensuring that an organization has competent employees. This can be done through various ways: the on-boarding process, requiring continuing education courses, security awareness training, annual team meetings, weekly or monthly department calls, or one-on-one meetings with a supervisor. How can your employee expect to grow within your company? How will you retain employees? Do you offer a growth or success plan? Do you meet with individual employees on an annual basis to conduct performance reviews? If an organization wants to retain employees, they’ll need to give them a clear path on how they can grow with the organization.

Without attracting, developing, and retaining competent employees, organizations will have a greater risk for vulnerabilities or potential breaches. It’s paramount that entities find candidates that are the right fit for an organization and that they continue to develop the right kind of employees, so that the organization can continue to meet its objectives.

More SOC 2 Resources

Click here to view more videos from our SOC 2 Academy series

Click here to view all of our SOC 2 videos

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.4 (CC 1.4) in the Trust Services Criteria is about hiring the best talent to come into your organization and help you meet your objectives. How do you attract, retain, and develop the best employees? Do you have job postings and job descriptions in order to help people understand what your requirements are for the position? Do you have training programs to help people understand what it is that they’re supposed to do to be successful in your organization? Do you provide that instruction through policies, procedures, and other materials that you may provide to employees on a day-to-day basis? Do you have succession or growth plans to help people grow into different positions within your organization? Have you implemented a performance management program in order to help people identify areas where they can improve but also address deficiencies in an individual’s performance? All of these things are very important to have in order to help you be able to review your employees’ performance and also evaluate their technical competency, and make sure that before you bring them on board, they’re the right fit for your organization to help you meet your objectives.

[/av_toggle]

[/av_toggle_container]