Common Criteria 2.2
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.2 says, “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss communicating with internal parties during an audit.
Communicating with Internal Parties During an Audit
During a SOC 2 audit, an auditor wants to see healthy internal communication. Any employee responsible for the functionality of internal controls must be involved in the audit process and understand how to communicate any issues. This means that board of directors, C-level executives, directors, IT staff, and other personnel are engaged and willing to communicate issues that are discovered and need to be remediated.
The audit process can be tedious, and it can be even more difficult if involved parties aren’t communicating effectively. For example, if a C-level executive is not involved in the audit process or doesn’t want to hear information about vulnerabilities found, this sets off a red flag for an auditor. How could a CEO possibly know what’s going on with their information systems if she’s not communicating with internal parties? How could this CEO make sure that the organization’s internal controls are operating effectively? What would happen if an IT staff member found a vulnerability, but didn’t know how to notify their CTO? When it comes to how to communicating with internal parties during an audit, organizations ultimately need to demonstrate that there is a culture of free-flowing communication throughout the company. To comply with common criteria 2.2, an auditor will want to verify that there are established channels for communication so that all parties are able to relay information in a timely manner and are working together to ensure that the internal controls are in place and operating effectively.
More SOC 2 Resources
When we are auditing how an entity internally communicates, we’re really looking to make sure that there is a healthy understanding of the things that need to be communicated back and forth between management and those who are responsible for making sure that the controls are operating effectively. I’ll give a really great example that I saw one time. The CEO of an organization, on a weekly basis, made sure that he visited the cubicles of each employee in order to tell them about the security concerns that he had and make sure the employees knew about their role in making sure that the company met its compliance objectives. There was a very healthy understanding of what the expectations were and everybody knew that the CEO really cared about the issue. The flip side of that was one time when I went into a CEO’s office in order to talk about the compliance and information security issues that we were identifying in the audit, and he did not want to have the conversation. He asked for us to just talk to the IT department; he didn’t want to know anything about it. There was a separation there between those charged with governance and what was actually happening on the ground, and you’ve got to have that free-flowing communication. I think the question you should ask yourself is: If I have an employee knows of a problem, does that employee feel free to come and talk to somebody who is at a C-level, or maybe even submit something for the board to be concerned about and consider? Do they feel the empowerment in order to bring that to our attention?