Common Criteria 2.3
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.3 says, “The entity communicates with external parties regarding matters affecting the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss how to organizations should be communicating with external parties.
Communicating with External Parties
Similar to common criteria 2.2, common criteria 2.3 calls for a system of two-way communication to be established by an organization and their external parties. External parties include an organization’s stakeholders, such as shareholders, partners, investors, owners, regulators, customers, vendors, or financial analysts. During a SOC 2 audit, an auditor will want to verify that an organization is communicating information regarding the functionality of the organization’s internal controls to these external parties. An auditor will also want to see that there are processes in place that allows external parties to communicate input, concerns, or feedback to the organization’s management or board of directors. For example, management might send out monthly newsletters to stakeholders updating them on the progress or current state of the organization’s internal controls. Management might also host a bi-annual meeting or send out an anonymous survey to all shareholders in order to receive feedback about the company. Regardless of the industry or size of an organization, communicating with external parties promotes the transparency needed to ensure that the organization’s internal controls are effectively running.
More SOC 2 Resources
Common criteria 2.3 (CC2.3) of the SOC 2 Trust Services Criteria talks about communicating with external parties. Who are these external parties? I would call them stakeholders. Stakeholders to your organization would include owners, partners, customers, regulators, people who have a financial interest in your organization, vendors. All of these people need to be communicated with from time to time about not only your expectations of them, but also receiving feedback from them about how your organization is doing. Do you take any feedback from those types of stakeholders and consider and integrate it into your monitoring activities to make sure that your organization is operating the way that you expect?