Common Criteria 4.1
When a service organization undergoes a SOC 2 audit, auditors will look to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.1 (CC4.1) states, “The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Why is it so important that organizations effectively perform evaluations of internal control? Let’s find out.
Monitoring Internal Control for SOC 2 Compliance
Because every organization is different when it comes to monitoring activities, an auditor will seek to understand what the organization does and how they do it during a SOC 2 audit. Considering this, in order for an organization to demonstrate that they comply with common criteria 4.1, they’ll need to show that they are conducting evaluations of internal control, which should include:
- Considering a mix of ongoing and separate evaluations
- Considering the rate of change of business or business processes
- Using the current internal control system to establish a baseline understanding for future evaluations
- Using knowledgeable personnel to conduct the evaluations of internal control
- Integrating the evaluations of internal control with business processes
- Adjusting the scope and frequency of evaluations depending on risk
- Ensuring that separate evaluations are conducted periodically to promote objectivity
- Utilizing various types of evaluations of internal control (i.e. penetration testing, third-party assessments, or internal audits)
Auditors will also want organizations to explain how they conduct evaluations of internal control. For instance, this might be done by explaining to an auditor that your department heads receive reports biweekly while leadership and department heads meet monthly to review those reports to determine how the organization should implement changes. Essentially, having effective evaluations of internal control allows organizations to ensure that their internal controls are present and functioning, and if they aren’t, the evaluations of internal control will give insight into the vulnerabilities that need to be remediated.
More SOC 2 Resources
SOC 2 common criteria 4.1 (CC4.1) says that the entity has to select, develop, and perform ongoing and/or separate evaluations of their internal control functioning. Generically speaking, this is monitoring. How do you monitor the performance of your internal control within your organization? Do you have regular meetings and conversations with departments to look at the results that they’ve experienced? Do you have data that comes to you that has to be analyzed and reviewed in order to determine whether a system is operating the way it’s supposed to? Do you get output from the various technologies that you’ve put into place in order to identify if anything as changed or if a new threat has appeared? How do you monitor the overall functioning of your team? This means more than just the systems and processes, but also the people. Every organization is different when it comes to monitoring activities, so when we’re performing that audit, we’re seeking to understand what you do and how you do it. For example, we’d like for you to explain to us the meetings you have on a weekly basis, the reports that you review on a monthly basis, and the processes that are in place to help you make decisions or changes within the organization as you review data. We want you to help us understand your environment better, so that we can help guide you and help you understand whether or not your monitoring activities are compliant with common criteria 4.1.