Common Criteria 3.4
When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.4 (CC3.4) states, “The entity identifies and assesses changes that could significantly impact the system of internal control.” Let’s take a look at what organizations need to do during their SOC 2 audit to demonstrate compliance with common criteria 3.4.
Consider Organizational Changes in Your Risk Assessment
During the annual risk assessment review, organizations often say that they have not experienced any organizational changes since their last audit. While it’s true that organizations might not go through significant changes during the time between audit periods, such as an overhaul of leadership, laying off entire departments, or merging with another business, organizations will almost always experience some change. This is why it is so important that organizations are proactively assessing changes within their organization, no matter the size.
During a SOC 2 audit, an auditor will observe how an organization assesses changes within their organization. These organizational changes might include:
- Changes to the external environment
- Changes to the business model
- Changes to leadership
- Changes to the organization’s systems and technology
- Changes to vendor and business partner relationships
For example, if leadership decides to adopt a new technology, how does that impact the organization’s system of internal control? What new risks does new technology add? Are new processes needed to monitor new technology? Do you know all of the resources available to effectively deal with the risks associated with new technology? Do you need to hire new employees to manage new technology? Adding something as simple or complex as new technology must be considered during an organization’s annual risk assessment. Organizations who fail in effectively assessing changes within their organization will be more at risk for data breaches and security incidents because they won’t have a cohesive understanding of the risks that could impact their system of internal control.
More SOC 2 Resources
One of the things we do when we kick off an audit is ask, has anything changed within the last year? More often than not, it seems that people always answer that there have been no changes and that everything remains the same as the previous year. However, it’s really hard to not have any changes. When you start to look at it, it’s clear that there are changes, such as personnel, location, and technology changes. You have to consider all of those things in your risk assessment when it comes to changes that have affected your environment. Common criteria 3.4 (CC3.4) of the SOC 2 Trust Services Criteria requires that you take that into consideration in your own risk assessment. What are the things that have changed this year? What new risks could those introduce into the organization? Did you bring new technology in and haven’t yet learned how to monitor it yet? Do you know all of the resources available to effectively deal with the risks associated with new technology? What about personnel? If you add a new person to your leadership team who brings in a new perspective, what risks could a change in new ideas or personality present? Did you allow employees to work from home this last year or open a new satellite office? Any of those kinds of changes that you’ve introduced into your environment must be identified and considered, at a minimum, in your annual risk assessment.