Common Criteria 4.1

When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations of internal control? Let’s find out.

Monitoring Internal Control for SOC 2 Compliance

Because every organization is different when it comes to monitoring activities, an auditor will seek to understand what the organization does and how they do it during a SOC 2 audit. Considering this, in order for an organization to demonstrate that they comply with common criteria 4.1, they’ll need to show that they are conducting evaluations of internal control, which should include:

  • Considering a mix of ongoing and separate evaluations
  • Considering the rate of change of business or business processes
  • Using the current internal control system to establish a baseline understanding for future evaluations
  • Using knowledgeable personnel to conduct the evaluations of internal control
  • Integrating the evaluations of internal control with business processes
  • Adjusting the scope and frequency of evaluations depending on risk
  • Ensuring that separate evaluations are conducted periodically to promote objectivity
  • Utilizing various types of evaluations of internal control (i.e. penetration testing, third-party assessments, or internal audits)

Auditors will also want organizations to explain how they conduct evaluations of internal control. For instance, this might be done by explaining to an auditor that your department heads receive reports biweekly while leadership and department heads meet monthly to review those reports to determine how the organization should implement changes. Essentially, having effective evaluations of internal control allows organizations to ensure that their internal controls are present and functioning, and if they aren’t, the evaluations of internal control will give insight into the vulnerabilities that need to be remediated.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

SOC 2 common criteria 4.1 (CC4.1) says that the entity has to select, develop, and perform ongoing and/or separate evaluations of their internal control functioning. Generically speaking, this is monitoring. How do you monitor the performance of your internal control within your organization? Do you have regular meetings and conversations with departments to look at the results that they’ve experienced? Do you have data that comes to you that has to be analyzed and reviewed in order to determine whether a system is operating the way it’s supposed to? Do you get output from the various technologies that you’ve put into place in order to identify if anything as changed or if a new threat has appeared? How do you monitor the overall functioning of your team? This means more than just the systems and processes, but also the people. Every organization is different when it comes to monitoring activities, so when we’re performing that audit, we’re seeking to understand what you do and how you do it. For example, we’d like for you to explain to us the meetings you have on a weekly basis, the reports that you review on a monthly basis, and the processes that are in place to help you make decisions or changes within the organization as you review data. We want you to help us understand your environment better, so that we can help guide you and help you understand whether or not your monitoring activities are compliant with common criteria 4.1.

[/av_toggle]

[/av_toggle_container]

The Importance of Teamwork During a Risk Assessment

During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk, but a risk assessment is not a one-man job. In order to get the most out of a risk assessment, more than just the IT department needs to be involved. Compliance, operations, and even the front desk receptionist and security guards could be involved in identifying, assessing, and mitigating risks. If just the IT department is involved, critical information could be left out of the risk assessment. For instance, there might be updated regulations or laws that an organization is required to adhere to, and if the compliance personnel doesn’t notify the IT team, the organization might be at risk for non-compliance. Likewise, let’s say that operations implemented a new product development process. If they aren’t involved in the risk assessment, who else will be able to explain the intricacies and potential vulnerabilities of the new process? If various departments aren’t involved in the risk assessment process, how will anyone know who should make updates to the risk assessment? Ultimately, utilizing teamwork during the risk assessment process allows organizations to identify risks that they may have otherwise missed, helping them increase the effectiveness of the risk assessment and strengthen their security posture.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the common findings that we have in an entity’s risk assessment is that it was just treated as something that they updated without much thought from the previous year, and they didn’t involve the appropriate members from the organization to contribute to the risk assessment process. It shouldn’t be something that just one person knows about, or one person completes, because you might be missing some very relevant intelligence from people who work at the warehouse or people who work in sales. The risk assessment involves not only people who work in IT, but also people who work in compliance, operations, or even the front desk receptionist. Consider how you can involve the most people in your organization in your risk assessment process, so that you can identify risks that you might not be aware of.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.4

When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.

Consider Organizational Changes in Your Risk Assessment

During the annual risk assessment review, organizations often say that they have not experienced any organizational changes since their last audit. While it’s true that organizations might not go through significant changes during the time between audit periods, such as an overhaul of leadership, laying off entire departments, or merging with another business, organizations will almost always experience some change. This is why it is so important that organizations are proactively assessing changes within their organization, no matter the size.

During a SOC 2 audit, an auditor will observe how an organization assesses changes within their organization. These organizational changes might include:

  • Changes to the external environment
  • Changes to the business model
  • Changes to leadership
  • Changes to the organization’s systems and technology
  • Changes to vendor and business partner relationships

For example, if leadership decides to adopt a new technology, how does that impact the organization’s system of internal control? What new risks does new technology add? Are new processes needed to monitor new technology? Do you know all of the resources available to effectively deal with the risks associated with new technology? Do you need to hire new employees to manage new technology? Adding something as simple or complex as new technology must be considered during an organization’s annual risk assessment. Organizations who fail in effectively assessing changes within their organization will be more at risk for data breaches and security incidents because they won’t have a cohesive understanding of the risks that could impact their system of internal control.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the things we do when we kick off an audit is ask, has anything changed within the last year? More often than not, it seems that people always answer that there have been no changes and that everything remains the same as the previous year. However, it’s really hard to not have any changes. When you start to look at it, it’s clear that there are changes, such as personnel, location, and technology changes. You have to consider all of those things in your risk assessment when it comes to changes that have affected your environment. Common criteria 3.4 (CC3.4) of the SOC 2 Trust Services Criteria requires that you take that into consideration in your own risk assessment. What are the things that have changed this year? What new risks could those introduce into the organization? Did you bring new technology in and haven’t yet learned how to monitor it yet? Do you know all of the resources available to effectively deal with the risks associated with new technology? What about personnel? If you add a new person to your leadership team who brings in a new perspective, what risks could a change in new ideas or personality present? Did you allow employees to work from home this last year or open a new satellite office? Any of those kinds of changes that you’ve introduced into your environment must be identified and considered, at a minimum, in your annual risk assessment.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.3

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.3 (CC3.3) states, “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” This means that organizations must consider how fraud can impact risk. What does an organization need to do to comply with common criteria 3.3? Let’s find out.

Assessing Opportunities for Fraud

As part of the risk assessment process, organizations need to assess opportunities for fraud within the organization so they can understand how fraud can impact risk. This includes not only the different types of fraud that might be committed, but also the incentives, pressures, attitudes, and rationalizations that could influence someone within the organization to commit fraud. During the SOC 2 audit, an auditor will verify that the entity has considered any type of fraud that could be committed, such as fraudulent reporting, corruption, or loss of assets. Similarly, an auditor will want to see that an organization is proactively assessing incentives and pressures to partake in fraudulent activities. For example, if an organization has a rigorous bonus program based on meeting certain objectives, how do they mitigate the potential for fraudulent behavior? If an employee commits fraud in order to receive their incentive bonus, what risks does that pose to the organization? Does the organization have a strict no-tolerance policy for fraudulent activities? How does management respond to employees committing fraud? Do they rationalize the behavior?

Think about it this way: what would be the impact to your organization if an employee accessed and stole sensitive data? What if an employee altered records to get ahead? Assessing opportunities for fraud is critical for all organizations and is a critical way that organizations will understand how fraud can impact risk. Employees are often viewed as the weakest security link, and this includes the risk that they will commit fraud. If you’re in the process of preparing for a SOC 2 audit, how are you assessing opportunities for fraud within your organization?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When pursuing compliance with common criteria 3.3 (CC3.3) in the SOC 2 Trust Services Criteria, you want to make sure in your risk assessment that you’ve considered the impact of fraud on your level of risk. For example, have you put too much emphasis on meeting the objectives of the organization? Is there an incentive or opportunity for an employee to commit fraud in order to meet that incentive? Do employees have attitudes and rationalized behaviors that have developed because they’re so concerned about meeting the incentive or receiving the potential reward for accomplishing their duties that they make the decision to use fraud to make it seem like they’ve done that? You need to incorporate this attitude and the potential for fraud to impact your organization as you assess your own risks.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.2

While organizations must consider the risks to their operations, finances, and reputation caused by threats inside their organization, they must also consider outside risks from business partners and third-party vendors. During a SOC 2 audit, organizations will have to demonstrate that they consider the risks from business partners and third-party vendors in order to comply with the SOC 2 common criteria 3.2, which states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Let’s take a look at the reasoning behind this, other frameworks that have vendor compliance requirements, and what can happen if an organization fails to manage the risks from business partners and third-party vendors.

Vendor Compliance Management for SOC 2 Compliance

As organizations increasingly outsource components of their business, it’s more crucial than ever to have a strong vendor compliance management program. Why? Because working with vendors puts your organization at a greater risk for data breaches or security incidents. By having an effective vendor compliance management program, you will be able to identify, mitigate, and better control risks from business partners and improve the security of your organization.

Think about it this way: what happens if your operations depend on the availability of your vendor’s services, but their service has an outage? If your vendor goes out of business, how does your organization continue to operate? If your organization shares cardholder data with a vendor and that vendor has a breach, what liability is held to your organization? These are the types of scenarios that your organization must consider when selecting vendors and effectively managing vendor risk, especially in order to comply with common criteria 3.2.

Vendor Compliance Management for Other Information Security Frameworks

Vendor compliance is a hot topic in the information security industry. Aside from SOC 2 compliance, having a vendor compliance management program in place is a critical component of many other information security frameworks, such as:

  • PCI DSS: PCI Requirement 12.8 asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could negatively impact the security of cardholder data. PCI Requirement 12.8.1 also specifically asks that entities maintain a list of service providers including a description of the service provided.
  • HIPAA: In order to comply with the HIPAA Privacy and Security Rules, covered entities must enter into Business Associate Agreements with their business associates or vendors. Such agreements must adhere to the standards set forth in 45 CFR 164.504(e), which addresses proper uses and disclosures, safeguards, incident reporting, and termination rights.
  • NY CRR 500: NY CRR 500 requires two elements for effective vendor compliance management: a cybersecurity policy (Section 500.03) and a third-party service provider security policy (Section 500.11).

Vendor-Caused Breaches

It’s no surprise that so many frameworks require that organizations must have a vendor compliance management program in place; breaches caused by vendors have skyrocketed recently. In June 2018, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. It was later discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart, something that may have been prevented if a vendor compliance management program was effectively in place. That is just one example; the list goes on and on. Companies like Best Buy, Delta Air Lines, and Sears, as well as Lord & Taylor and Saks Fifth Avenue all experienced vendor-related breaches that could have been prevented.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

A very common thing that we find missing in risk assessments when we’re trying to comply with SOC 2 common criteria 3.2 (CC3.2) is not including risks from business partners and vendors. This is a hot topic these days. All of the information security frameworks have been updated to include the issues that affect us from third-party vendors who might have security issues that impact us. You need to make sure that you include that as one of the risks that you consider in your own risk assessment.

[/av_toggle]

[/av_toggle_container]