What are the Components of Internal Control (CRIME)?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. It’s one of the most common models used to design, implement, maintain, and evaluate internal control. To have an effective system of internal control, the COSO framework requires that service organizations have the defined components of internal control present, functioning, and supporting business and internal control objectives. Control environment, risk assessment, information and communication, monitoring, and existing control activities make up the five components of internal control, known by the acronym of CRIME.

What are the components of CRIME and what do they mean for your organization?

  1. Control Environment: The first component of internal control is control environment. A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values. Is management committed to an effective system of internal control? Is there some type of team committed to internal auditing or compliance? How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness?
  1. Risk Assessment: Risk assessment is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control. Does the organization know where assets live? Does the organization assess risks that are a threat to the achievement of internal control objectives? Are controls fully understood? Are there tests performed to assess of control?
  1. Information and Communication: Quality information and effective communication among a service organization can impact meeting internal control objectives. When there’s a system change, how does management communicate that to internal employees and/or external users? What is the effectiveness of that communication?
  1. Monitoring: How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action?
  1. Existing Control Activities: The final component of internal control is existing control activities. This is the largest component, as it provides the details about the controls that you’ve put into place to meet your internal control objectives. Does the organization have documented policies and procedures? Is there a business continuity plan? Is there a change management program?

The five components of internal control function together to create an effective system of internal control. You must have a control environment to create a compliance culture within your organization. Once you have management’s support and influence, you can create a risk assessment process that identifies and manages risks that threaten the achievement of internal control objectives. You can then implement control activities that meet your internal control objectives and use effective communication to implement these processes throughout your organization. An ongoing monitoring program will keep your organization focused on meeting internal control objectives.

To learn more about how to implement the five components of internal control at your organization, contact us today.

In order to complete your SSAE 16 (recently updated to SSAE 18), you must have the five components of internal control present and functioning. These components are known by the acronym of CRIME. The first component is a control environment. How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness? The second component is risk assessment. Does the organization assess risks that are a threat to the achievement of your control objectives? The third component is information and communication. How does management communicate to your internal employees and your external users of your controls about any system changes or anything that might affect the use of the system that the service organization is offering. The fourth component is monitoring. How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action? The fifth component is existing control activities. This section of the SSAE 16 (recently updated to SSAE 18) is the largest, as it provides the detail about the controls that you’ve put into place to meet your control objectives.

What is the COSO Internal Control Framework?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. The COSO framework is one of the most common and important models used to design, implement, maintain, and evaluate internal control. It’s regarded as the definitive model against which organizations determine the effectiveness of their internal control.

The COSO framework was established in 1992, but updated in 2013 to address evolving technology, environments, governance, and regulations. SOC 1, 2, and 3 reports all have some type of inclusion of the COSO framework. The COSO internal control framework outlines objectives, components, and principles. What are the three objectives of COSO and why are they important?

What are the 3 Objectives of COSO?

What are the 3 Objectives of COSO?

Design, implement, maintain, and evaluate internal control – easy enough, right? There are a lot of elements that go into developing an effective system internal control. The COSO framework outlines three objectives, five components of internal control, and 17 principles related to internal control. The COSO framework defines internal control as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” The objectives of COSO integrated framework are at the very core of internal control.

What do the objectives of COSO mean for your organization?

  1. Operations – Are the controls that your organization has put into place been properly designed and are they operating effectively? Your clients are relying on those controls as you deliver your services to them. Are your organization’s operation procedures efficient? Are your operational and financial performance goals realistic? Do you safeguard assets against risk and loss? The operations objective is meant to focus on the effectiveness and efficiency of operations.
  2. Reporting – Are your reports reliable, timely, and transparent? What reports do your clients rely upon? Meeting the reporting objective is vital to meeting your clients’ goals and your obligations to them.
  3. Compliance – Which laws and regulations apply to you? The compliance objective ensures that you remain in compliance with the standards and regulations that your clients care about.

To learn more about the objectives of COSO and how the internal control framework functions within your SOC 1, 2, or 3 report, contact us today.

The framework that is utilized for the SSAE 18 (formerly SSAE 16) is known as the COSO Internal Control Framework. The first objective of this framework is operations. Are the controls that you’ve put into place properly designed and operating effectively? Your clients are relying on those controls as you deliver your services to them. The second objective is reporting. What reports do your clients rely upon in order to assure that your services are meeting their goals and your obligations to them? The third objective is compliance. Which laws and regulations apply to you so that you remain in compliance with those things that your clients care about?

Sampling During a SOC 1 Audit

When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling requires, “that the auditor use professional judgment in planning, performing, and evaluating a sample and in relating the evidential matter produced by the sample to other evidential matter when forming a conclusion about the related account balance or class of transactions.”

If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

When an auditor performs a test of control for an SSAE 16 (SOC 1) report, it may be appropriate to apply sampling. If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

An example of a population that would have to be tested would be new hire training forms, employee acknowledgements of certain policies and procedures, antivirus reports, or access control logs. These kinds of things are determined by what kind of sampling could be applied in those situations where it is appropriate to do so.

The Auditor’s Test of Controls: Review, Observe, and Interview

At the end of a SOC 1 Type II report, you’ll find a section titled, “Information Provided by the Independent Service Auditor.” Within this section, you will find “Auditor’s Test of Controls,” which is a description of the controls that were tested during the audit, procedures used for testing these controls, and the results of the testing. The test of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time. When reviewing a SOC 1 Type II report, the opinion and the results of the auditor’s test of controls may contain vital information necessary to verify whether a service organization’s controls have been suitably designed and are operating effectively.

The procedures used for testing controls typically fall under one of three categories: review, observe, or interview. Let’s say your service organization says it has a policy that governs physical security, which includes things like door locks, surveillance cameras, onsite security guards, alarms, and issuing visitor badges. An auditor could review the relevant documentation to ascertain that the physical security policy does exist, it’s in place, and employees know about its existence. Or, an auditor could observe physical security practices, such as the process for issuing visitor badges, to verify that this policy does exist, it’s in place, and employees know about its existence. Or, an auditor could interview the personnel responsible for issuing visitor badges to verify that the physical security policy does exist, it’s in place, and employees know about its existence.

An auditor’s test of controls is designed uniquely and specifically for the controls that your service organization has put into place. If there are exceptions provided in the SOC 1 Type II report, for example, “In this case, the physical security control was not operating as it should have been,” those situations will be reported to management so that they can be remediated as soon as possible.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

For an SSAE 16 (now SSAE 18) Type II report, there’s a section titled “Auditor’s Test of Controls.” These tests of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time.

An example of a test of control that an auditor would perform would be a review of policy. If you have stated that you have a policy that governs information security, or logical access, or human resources, or physical security, or application development, a test of that would be that the auditor reviews the document to ascertain that it does exist and it is in place and that people know about its existence.

Another test of control would be an observation. If one of your controls is, “We train our employees when they are hired,” or, “We monitor our network health in order to identify system capacity,” or if another control is, “We conduct peer review on our application development processes among our development teams,” an auditor may observe these practices or look for evidence that would provide them assurance that these things are taking place.

These tests of controls are designed uniquely and specifically for the controls that you’ve put into place and the auditor writes up a description of the tests that were performed and what the results of those tests were. There could be exceptions provided in the report, “In this case, this control was not operating as it should have been,” and of course, those situations are reported to management so that they can be dealt with and remediated as soon as possible.

Driven by Risk

An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive our audits so that we can give you reasonable assurance.

What is Audit Risk?

In an audit of financial statements, like SOC 1 audits, audit risk is defined by the PCAOB as, “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.” What are the chances of an audit firm’s opinion being incorrect? What are the chances something gets overlooked? This all factors into the concept of audit risk.

What is Control Risk?

What are the chances that your controls are not operating effectively? What are the chances that the failure of a control lead to material misstatement in financial statements? This is control risk. If you rely upon a person to monitor something, there are inherent limitations. Why? Because people make mistakes. The more that people are involved, the higher the control risk. But, there’s control risk related to automated processes too, because systems fail. There’s always some level of control risk, but an auditor will design tests to help us have reasonable assurance that controls are in place and operating effectively.

What is Detection Risk?

Will an auditor not detect something that is in existence? This is detection risk. In relation to SOC 1 audits, the PCAOB defines detection risk as, “The risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by the effectiveness of the substantive procedures and their application by the auditor.” An auditor can reduce the level of detection risk by designing tests of policies and procedures and applying sampling to help give reasonable assurance that a control is in place and operating effectively.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

As you work with your auditor on your SSAE 16 (now SSAE 18), one of the concepts to be aware of would be related to audit risk, control risk, and detection risk.

As an audit firm, we’re always concerned about whether or not our opinion is accurate about the service organization that we’re auditing; that’s the concept of audit risk. What are the chances that our audit will be incorrect? That we will miss something?

Control risk is the chance that your control is not operating effectively. The more that people are involved, the higher the control risk. For example, if you rely upon a person to monitor something or do something, there are inherent limitations to that because people make mistakes. There are also inherent mistakes to automated practices because systems fail. There’s always some level of control risk and the auditor will design tests in order to help us to have reasonable assurance that the control is in place and is operating effectively for the most amount of time possible. That relates to detection risk.

What are the chances that we, in our audit, won’t detect something that is in existence? The auditor will design tests and will apply sampling in order to get a good snapshot of the control being in place and operating effectively, so that we can be reasonably assured in our opinion that we provide to you, the service organization. In turn, your clients will rely upon that opinion, which is why the audit has to be properly scoped, properly conducted, and it’s always being driven by these elements of risk that I’ve described.