SOC 2 Academy: Expectations of Policies and Procedures

by Joseph Kirkpatrick / January 25th, 2019

Common Criteria 5.3

Like with many other frameworks, including PCI DSS and HIPAA, policies and procedures are an integral component of achieving SOC 2 compliance. Why? Because during a SOC 2 audit, an auditor will assess an organization’s compliance with the 2017 SOC 2 Trust Services Criteria. As part of that, an auditor will verify whether or not an organization complies with common criteria 5.3, which says, “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.” Let’s take a look at how organizations can demonstrate compliance with common criteria 5.3 and what expectations of policies and procedures auditors will have.

Expectations of Policies and Procedures for SOC 2 Compliance

Creating and maintaining policies and procedures is no small task. It’s hard work, time-consuming, and can change your company culture. Creating, implementing, and maintaining effective policies and procedures is also paramount to ensuring an organization’s longevity. Policies lay the foundation of what organizations expect of their personnel, and procedures tell an organization’s personnel how they can meet those expectations. What expectations for policies and procedures will an auditor have? How can an organization meet those expectations of policies and procedures? During a SOC 2 audit, an auditor will verify that an organization does the following:

  • Creates and enforces policies and procedures that support the control activities
  • Establishes a system of accountability and responsibility for control activities in order to ensure that the policies and procedures are adhered to
  • Performs control activities in a timely manner and/or according to the time frame set forth in the policies and procedures
  • Takes corrective action in accordance with the policies and procedures when issues come up as a result of using the control activities
  • Performs control activities using competent personnel
  • Evaluates policies and procedures periodically and adjusts accordingly

While updating policies and procedures on a regular basis may seem like a tedious task, it’s a necessary one. To ensure compliance with the SOC 2 Trust Services Criteria, establishing processes to ensure that the expectations of policies and procedures are met needs to be a top priority. Organizations might consider having their own personnel help with this task or they might seek out a third-party, like KirkpatrickPrice, to develop their policies and procedures. Either way, committing to the process of maintaining effective policies and procedures will only have benefits in the long run and will allow organizations to meet the expectations of policies and procedures during their SOC 2 audit journey.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

More Policies and Procedures Resources

Style Guide to Creating Good Policies

Style Guide to Writing Good Procedures

Auditor Insights: Policies and Procedures Are Better Than Gold

Why You Need to Document Your Policies and Procedures

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

Common criteria 5.3 in the 2017 SOC 2 Trust Services Criteria is a big one. It’s about putting what you expect into policies, so that the organization can look at policies and understand what is expected of them, but you’ve also put procedures in place so that you can put those policies into action. That’s really the difference between policies and procedures: policies set forth what it is that you’re after, and procedures are how you’re going to get there. This really brings everyone down when we have so many things to do, and it’s so hard to keep our policies and procedures up to date and current. I know that we struggle with this. Sometimes I’ll look at a document that we wrote a few years ago to update it, and I’ll realize that it’s something that we did three years ago, and it’s not at all something that we do today. We can get so busy with other things that are going on, but there needs to be a process in place to get your policies and procedures updated. Make sure that your documentation is current and that your employees are using that documentation to understand what is expected and how they should do that. One idea is to take the reverse affect and ask the people who are responsible for their day-to-day actions to update the procedures and provide them to you, so that you can have visibility into what they’re doing, how they’re accomplishing things, and then back into the update in your documentation by using their critical knowledge to do that.