Common Criteria 1.2
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.2 states, “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” Let’s take a look at how boards of directors can demonstrate independence from management and some exceptions to the requirement.
Maintaining Independence from Management
The purpose of a board of directors is to ensure that a service organization’s business objectives are met, to determine if the interests of the entity’s stakeholders and shareholders are considered, to verify that policies and procedures are upheld, and to provide oversight and management of the organization. In order to fulfill each of these roles, the board of directors must demonstrate an independence from management, which means that board members who have ties to an organization could potentially hinder this independence from being possible. For example, if a board member has charitable ties to a service organization, they might be swayed to vote in a certain direction regarding the company’s financial performance to ensure that they still receive their charitable donations that quarter. Another example might be if a board member is a former executive of a company. If the company is looking to merge with another entity, that board member might have ulterior motives for not wanting to proceed with the merger.
During a SOC 2 audit, an auditor will look to ensure that the service organization’s board contains members that are objective and who can independently oversee what the organization is doing. If a service organization is looking to comply with various regulatory rules, multiple audits, or is having their information security systems tested, auditors will want to verify that the board is involved with those processes. Service organizations with a board of directors that show little involvement in such engagements set off a red flag to auditors; there should at least be reporting that’s going to the board to inform them of what’s occurring within the organization to ensure that they can perform proper oversight and governance.
Exceptions to the Rule
When clients engage us for a SOC 2 audit, we are often asked, “What if our organization doesn’t have a formal board of directors?” During the SOC 2 audit process, our Information Security Specialists will take this into consideration depending on the size and complexity of the service organization. Perhaps the service organization is a small, family-owned business who has one individual acting as both the CEO and the board. The auditor would be concerned about assessing the people who have a vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.
More SOC 2 Resources
Common criteria 1.2 (CC1.2) in the SOC 2 Trust Services Criteria has to do with the board demonstrating independence from management and overseeing the activities of the organization. As an auditor, we’re going to look for a board that contains members that are objective and who can independently oversee what the organization is doing. If you are seeking to comply with various regulatory rules, if you are conducting audits, if you are concerned about information security, which involves IT, the board can’t be separate from that. They can’t say that they don’t have anything to do with that. There should at least be reporting that’s going to the board to inform them of what’s occurring, so that they can perform the proper oversight and governance for your entity. One of the common questions that we get is “What if our organization doesn’t have a formal board of directors?” Maybe there is just one owner, or it’s a small organization, and it’s a family owned business, and the board is really the CEO and the CFO, or maybe it’s just one individual who is the owner of the organization. That’s okay in this situation because when you look at things from the size and complexity of your organization, if you’re structured in that way, when we ask you questions about the board of directors, we’re really just referring to ownership—the people who have the vested interest in making sure that the organization is meeting their obligations and that they are conducting business in a way that the owner expects them to.