Common Criteria 1.1
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that the organization complies with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 states, “The entity demonstrates a commitment to integrity and ethical values.” So, what does an organization need to do to demonstrate this? How will the auditor test for integrity? Let’s discuss.
Tone from the Top
It’s critical for any organization, regardless of industry or size, to set a tone for compliance by starting at the top of the organization. When the leadership team, management, senior executives, stakeholders, and/or board of directors support compliance efforts, this establishes a foundation for compliance and employees are much more likely to follow suit. During a SOC 2 audit, an auditor will interview and observe employees to determine if this tone for compliance has been instilled in the company culture and will consider questions, such as:
- What is management doing to show their commitment to integrity and ethical values?
- What is the culture of the company like?
- What kind of business reputation does the organization have?
- Do employees know what kind of behavior is expected of them?
Testing for Integrity in a SOC 2 Audit
When an auditor evaluates a service organization’s integrity and ethical values during a SOC 2 audit, they’ll do so by ensuring that there are written policies and procedures, as well as interviewing and observing employees and the workplace environment. Having a formally documented set of policies and procedures allows auditors to see that there is an established standard that organization must adhere to. Auditors want to see that the organization has created and implemented a code of conduct and a code of ethics and is actively working to ensure that such policies and procedures are followed. Auditors will look to ensure that these documents have been reviewed with employees – whether through the on-boarding process or as part of annual training programs – and has a required signature and acknowledgement from employees stating the they understand what standards they are expected to follow. Auditors also want to verify that the organization has policies and procedures regarding how to handle misconduct and unethical behavior and will interview management to confirm that such processes are being followed.
More SOC 2 Resources
Let’s start right at the top of the 2017 SOC 2 Trust Services Criteria. Common criteria 1.1 (CC1.1) has to do with the entity demonstrating a commitment to integrity and ethical values. How does a company demonstrate this? There’s a tone within the organization. You can tell it when you visit a company, when you talk to the people that work there, when you do business with them. Do they care about ethics? How do we as an auditor audit that an organization has integrity? Well, first of all, we would look for a written standard of conduct. Does the organization have a code of conduct? Do they have a code of ethics? Do they require their employees to sign and acknowledge that they understand what standards that the organization has for them? Also, when we interview members of management, that’s one of the things that the auditor is looking for. Does this organization require this level of behavior and if someone deviates from that, do they identify it and correct it? This is something that you should consider within your own organization as you seek to demonstrate your own commitment to integrity and ethical values.