5 Components of Internal Control

by Joseph Kirkpatrick / June 28th, 2019

Implementing Internal Controls for SOC 1 Compliance

When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. In order for an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components of internal control in place and functioning, and implement the 17 principles related to internal control outlined in the framework. While we’ve already covered how organizations can meet the three objectives of internal control, let’s take a look at the five components of COSO and what they mean for SOC 1 compliance.

The 5 Components of COSO: C.R.I.M.E.

The five components of COSO – control environment, risk assessment, information and communication, monitoring activities, and existing control activities – are often referred to by the acronym C.R.I.M.E. To get the most out of your SOC 1 compliance, you need to understand what each of these components includes.

  1. Control Environment: How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that your controls are operating effectively and are achieving the results that they expect?
  2. Risk Assessment: How does your organization assess risk in order to identify the things that threaten the achievement of their objectives?
  3. Information and Communication: How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive acknowledgement from those people that they understand what you’re asking them to do?
  4. Monitoring Activities: How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can?
  5. Existing Control Activities: What are the controls that you currently have in place? Were they in place and operating effectively over a period of time?

Want to get started on your SOC 1 compliance journey? Ready to learn more about the COSO Internal Control – Integrated Framework and how you can implement the five components of COSO? Contact us today.

In order to complete your SOC 1 audit, you have to have the five components of internal control in place and functioning. These five components are known by the acronym C.R.I.M.E. The “C” stands for control environment. How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that our controls are operating effectively and are achieving the results that we expect? The “R” stands for risk assessment. How does the organization assess risk in order to identify the things that threaten the achievement of their objectives? The “I” stands for information and communication. How does management communicate to their internal and external users what it is they expect from them? How do we make sure that they receive acknowledgement from those people that they understand what it is that you’re asking them to do? The “M” stands for monitoring activities. How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can? The “E” stands for existing control activities. This is the largest section in your SOC 1 report because it talks about all of the controls that you’ve put into place and how the auditor tested those controls to make sure that they were operating effectively over a period of time.

About the Author

Joseph Kirkpatrick

Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA certifications, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by navigating them through the complex maze of compliance and regulatory requirements.