Common Criteria 1.3
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.3 (CC1.3) states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Let’s discuss at how organizations can go about defining the responsibilities of employees and what auditors will be looking for.
Establishing Oversight, Reporting Lines, and Responsibilities
When employees have multiple roles and responsibilities, it can lead to confusion and miscommunication. Defining the responsibilities of employees by establishing oversight, reporting lines, and designating appropriate authorities are key ways that an organization can ensure that it is resolving this confusion and creates an effective organizational structure to complete business processes. Employees who have a clear understanding of their role and responsibilities, who they report to, and how they fit into the larger company dynamic are more likely to work more efficiently with their colleagues and avoid miscommunication. If a problem arises, an employee won’t waste time trying to figure out who they need to alert because they’ll know exactly who they need to tell the problem to. It is especially important for service organization’s management to establish and maintain a cohesive environment, because if a vulnerability is discovered or a breach occurs, those vulnerabilities can be effectively communicated and mitigated.
During a SOC 2 audit, an auditor will reference several documents to ensure that common criteria 1.3 is met. For example, an auditor might use a company’s organizational chart as evidence to understand who reports to who and which responsibilities belong to which employees. An organizational chart acts as a key piece of evidence that a service organization’s management is defining the responsibilities of employees because it visually represents an entire organization. In addition to this, an auditor will verify that an organization has well-documented policies and procedures that explain the organization’s structure, reporting lines, and roles and responsibilities.
More SOC 2 Resources
Common criteria 1.3 (CC1.3) has to do with the board defining responsibilities for management. Have reporting lines been established? Has a structure been put into place? Because an auditor will look at your organizational chart as evidence to understand who reports to who, and what responsibilities have been given to those charged with day-to-day duties.