Common Criteria 1.3

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.3 (CC1.3) states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Let’s discuss at how organizations can go about defining the responsibilities of employees and what auditors will be looking for.

Establishing Oversight, Reporting Lines, and Responsibilities

When employees have multiple roles and responsibilities, it can lead to confusion and miscommunication. Defining the responsibilities of employees by establishing oversight, reporting lines, and designating appropriate authorities are key ways that an organization can ensure that it is resolving this confusion and creates an effective organizational structure to complete business processes. Employees who have a clear understanding of their role and responsibilities, who they report to, and how they fit into the larger company dynamic are more likely to work more efficiently with their colleagues and avoid miscommunication. If a problem arises, an employee won’t waste time trying to figure out who they need to alert because they’ll know exactly who they need to tell the problem to. It is especially important for service organization’s management to establish and maintain a cohesive environment, because if a vulnerability is discovered or a breach occurs, those vulnerabilities can be effectively communicated and mitigated.

During a SOC 2 audit, an auditor will reference several documents to ensure that common criteria 1.3 is met. For example, an auditor might use a company’s organizational chart as evidence to understand who reports to who and which responsibilities belong to which employees. An organizational chart acts as a key piece of evidence that a service organization’s management is defining the responsibilities of employees because it visually represents an entire organization. In addition to this, an auditor will verify that an organization has well-documented policies and procedures that explain the organization’s structure, reporting lines, and roles and responsibilities.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.3 (CC1.3) has to do with the board defining responsibilities for management. Have reporting lines been established? Has a structure been put into place? Because an auditor will look at your organizational chart as evidence to understand who reports to who, and what responsibilities have been given to those charged with day-to-day duties.

[/av_toggle]

[/av_toggle_container]

business people walking

Common Criteria 1.2

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.2 states, “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” Let’s take a look at how boards of directors can demonstrate independence from management and some exceptions to the requirement.

Maintaining Independence from Management

The purpose of a board of directors is to ensure that a service organization’s business objectives are met, to determine if the interests of the entity’s stakeholders and shareholders are considered, to verify that policies and procedures are upheld, and to provide oversight and management of the organization. In order to fulfill each of these roles, the board of directors must demonstrate an independence from management, which means that board members who have ties to an organization could potentially hinder this independence from being possible. For example, if a board member has charitable ties to a service organization, they might be swayed to vote in a certain direction regarding the company’s financial performance to ensure that they still receive their charitable donations that quarter. Another example might be if a board member is a former executive of a company. If the company is looking to merge with another entity, that board member might have ulterior motives for not wanting to proceed with the merger.

During a SOC 2 audit, an auditor will look to ensure that the service organization’s board contains members that are objective and who can independently oversee what the organization is doing. If a service organization is looking to comply with various regulatory rules, multiple audits, or is having their information security systems tested, auditors will want to verify that the board is involved with those processes. Service organizations with a board of directors that show little involvement in such engagements set off a red flag to auditors; there should at least be reporting that’s going to the board to inform them of what’s occurring within the organization to ensure that they can perform proper oversight and governance.

Exceptions to the Rule

When clients engage us for a SOC 2 audit, we are often asked, “What if our organization doesn’t have a formal board of directors?” During the SOC 2 audit process, our Information Security Specialists will take this into consideration depending on the size and complexity of the service organization. Perhaps the service organization is a small, family-owned business who has one individual acting as both the CEO and the board. The auditor would be concerned about assessing the people who have a vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 1.2 (CC1.2) in the SOC 2 Trust Services Criteria has to do with the board demonstrating independence from management and overseeing the activities of the organization. As an auditor, we’re going to look for a board that contains members that are objective and who can independently oversee what the organization is doing. If you are seeking to comply with various regulatory rules, if you are conducting audits, if you are concerned about information security, which involves IT, the board can’t be separate from that. They can’t say that they don’t have anything to do with that. There should at least be reporting that’s going to the board to inform them of what’s occurring, so that they can perform the proper oversight and governance for your entity. One of the common questions that we get is “What if our organization doesn’t have a formal board of directors?” Maybe there is just one owner, or it’s a small organization, and it’s a family owned business, and the board is really the CEO and the CFO, or maybe it’s just one individual who is the owner of the organization. That’s okay in this situation because when you look at things from the size and complexity of your organization, if you’re structured in that way, when we ask you questions about the board of directors, we’re really just referring to ownership—the people who have the vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.

 

[/av_toggle]

[/av_toggle_container]

Common Criteria 1.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.

Tone from the Top

It’s critical for any organization, regardless of industry or size, to set a tone for compliance by starting at the top of the organization. When the leadership team, management, senior executives, stakeholders, and/or board of directors support compliance efforts, this establishes a foundation for compliance and employees are much more likely to follow suit. During a SOC 2 audit, an auditor will interview and observe employees to determine if this tone for compliance has been instilled in the company culture and will consider questions, such as:

  • What is management doing to show their commitment to integrity and ethical values?
  • What is the culture of the company like?
  • What kind of business reputation does the organization have?
  • Do employees know what kind of behavior is expected of them?

Testing for Integrity in a SOC 2 Audit

When an auditor evaluates a service organization’s integrity and ethical values during a SOC 2 audit, they’ll do so by ensuring that there are written policies and procedures, as well as interviewing and observing employees and the workplace environment. Having a formally documented set of policies and procedures allows auditors to see that there is an established standard that organization must adhere to. Auditors want to see that the organization has created and implemented a code of conduct and a code of ethics and is actively working to ensure that such policies and procedures are followed. Auditors will look to ensure that these documents have been reviewed with employees – whether through the on-boarding process or as part of annual training programs – and has a required signature and acknowledgement from employees stating the they understand what standards they are expected to follow. Auditors also want to verify that the organization has policies and procedures regarding how to handle misconduct and unethical behavior and will interview management to confirm that such processes are being followed.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Let’s start right at the top of the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 (CC1.1) has to do with the entity demonstrating a commitment to integrity and ethical values. How does a company demonstrate this? There’s a tone within the organization. You can tell it when you visit a company, when you talk to the people that work there, when you do business with them. Do they care about ethics? How do we as an auditor audit that an organization has integrity? Well, first of all, we would look for a written standard of conduct. Does the organization have a code of conduct? Do they have a code of ethics? Do they require their employees to sign and acknowledge that they understand what standards that the organization has for them? Also, when we interview members of management, that’s one of the things that the auditor is looking for. Does this organization require this level of behavior and if someone deviates from that, do they identify it and correct it? This is something that you should consider within your own organization as you seek to demonstrate your own commitment to integrity and ethical values.

[/av_toggle]

[/av_toggle_container]

The Five Components of Internal Control: CRIME

The COSO Internal Control — Integrated Framework is one of the most common models used to design, implement, maintain, and evaluate internal controls and is split into five components: control environment, risk assessment, information and communication, monitoring activities, and existing control activities. A common way to remember these five components that are used to evaluate the effectiveness of internal controls is the acronym CRIME.

  • Control Environment: A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values.
  • Risk Assessment: Accurately assessing, ranking, and mitigating risk  is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control.
  • Information and Communication: Quality information and effective communication within a service organization can impact meeting internal control objectives.
  • Monitoring Activities: Service organizations must have effective monitoring activities to ensure the operating effectiveness of internal controls.
  • Existing Control Activities: The final and largest component of internal control is existing control activities. This component includes the details about the controls that you have put into place to meet your internal control objectives.

Supplemental Criteria in SOC 2

The new SOC 2 reporting also describes specific control activities that go beyond the five basic COSO components that should be used to evaluate the internal controls over security, availability, processing integrity, confidentiality, and privacy. Supplemental criteria further the intent of COSO Principle 12, which says, “The entity deploys control activities through policies that establish what is expected and procedures that put polices into action.” The following supplemental criteria and can be found in TSP Section 100.05.

  • Logical and physical access controls: The criteria relevant to how an entity restricts logical and physical access, provides and removes that access, and prevents unauthorized access.
  • System operations: The criteria relevant to how an entity manages the operation of system(s) and detects and mitigates processing deviations, including logical and physical security deviations.
  • Change management: The criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
  • Risk Mitigation: The criteria relevant to how the entity identifies, selects, and develops risk mitigation activities arising from potential business disruptions and the use of vendors and business partners.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

One of the major changes in the 2017 SOC 2 framework has to do with the inclusion of the 17 principles from the COSO Internal Control — Integrated Framework. You’ll know the COSO Internal Control Framework by the acronym CRIME. “C” stands for control environment, “R” stands for risk assessment, “I” stands for information and communication, “M” stands for monitoring activities, and “E” stands for existing controls.

You’ll notice in the SOC 2 framework that in addition to the 17 principles that are aligned with the internal control framework, you have supplemental criteria that deals with how those control activities are put into place to help the entity do what they do. These are things like logical access controls and physical access controls, system operations, change management, the things that you do to mitigate risk within your organization. This type of guidance on COSO, internal control, and supplemental criteria is included and provided in the SOC 2 Trust Services Criteria, and you can visit our Online Audit Manager to check out the resources that are there to help you understand these control activities that you should consider.

[/av_toggle]

[/av_toggle_container]

What is a Point of Focus?

In the past, many organizations have struggled on their journey toward SOC 2 compliance because they lacked an understanding of what they needed to do to comply with the Trust Services Criteria. As such, one of the enhancements to SOC 2 reporting includes points of focus, which will assist organizations when they are designing, implementing, operating, and evaluating controls over security, availability, confidentiality, processing integrity, and privacy. Points of focus are meant to be references, not requirements because not all points of focus will be applicable to all organizations. These points of focus serve as a type of checklist for management, providing clarity on how organizations can ensure that they are SOC 2 compliant. Let’s look at an example of points of focus under the security category.

Specific Points of Focus

For example, CC1.1, under the common criteria and COSO’s control environment component, states, “The entity demonstrates a commitment to integrity and ethical values.” The specific points of focus for this include the following:

  • Sets the Tone at the Top—The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
  • Establishes Standards of Conduct—The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
  • Evaluates Adherence to Standards of Conduct—Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.
  • Addresses Deviations in a Timely Manner—Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.
  • Considers Contractors and Vendor Employees in Demonstrating Its Commitment – Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.

Organizations pursuing SOC 2 compliance would then choose to follow the guidance of the points of focus that apply to them. This ensures that their controls demonstrate the organization’s commitment to integrity and ethical values.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcript’ tags=”]

One of the enhancements to the SOC 2 Trust Services Criteria in 2017 has to do with the inclusion of points of focus. The criteria now include points of focus, given by the AICPA, that really give you important characteristics about the criteria. These are not requirements; these are not things that you have to do, but they’re very helpful to reference. You can go into our Online Audit Manager and check out the resources in order to find these points of focus. One of the things that’s been very helpful about it is, many times in the SOC 2 criteria, you would read it and you wouldn’t really understand, at first glance, what it was talking about. The points of focus are there to help you understand the context of what the criteria is seeking to accomplish and how you might implement that within your own organization.

[/av_toggle]

[/av_toggle_container]