Common Criteria 1.5
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 1.5 (CC1.5) states, “The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” What do organizations need to do to demonstrate that they are holding employees accountable? Organizations can implement accountability measures through positive and punitive reinforcements, but what does that look like? Let’s discuss.
Positive Reinforcements in the Workplace
In order to ensure that an organization’s internal controls are in place and operating effectively, the personnel responsible for those internal controls must be held accountable. Instituting positive reinforcements in the workplace is one way that organizations can be sure that they are holding employees accountable. Incentives, such as bonuses or additional vacation time, or even public praises of appreciation can go a long way for an organization. When employees are recognized or rewarded for their hard work, they will be more likely to be accountable. Using positive reinforcements helps set the tone in an organization for accountability and will empower an organization’s employees to want to meet the expectations set for them.
Punitive Reinforcements in the Workplace
Though some might feel that punishing employees is not as effective as using positive reinforcements, when it comes to holding employees accountable, taking punitive measures can be necessary. For example, if you have an employee who is constantly missing deadlines, they should be reprimanded in some way, such as a one-on-one meeting with a supervisor or a written warning. If an employee tasked with physical security internal controls forgets to lock up the office, there needs to be some disciplinary measure taken. By avoiding punitive reinforcements altogether, an organization’s employees might not think management takes misbehavior or negligence seriously. Holding employees accountable might result in terminating a few employees, but it will set the tone for compliance and accountability for the rest of the organization.
More SOC 2 Resources
SOC 2 common criteria 1.5 (CC1.5) says that the entity has to hold individuals accountable for their internal control responsibilities. Accountability can be achieved positively or punitively. On the positive side, you could put rewards and incentives into place. When you catch somebody doing the right thing, when they achieve the objectives that you’ve set out for them, they should be held up as an example for the rest of the organization to see. When you have someone who breaks the rules and perhaps doesn’t live up to the requirements that you have, you should have some type of disciplinary measure, so that the organization knows that you are taking that seriously and that someone will be held accountable or perhaps even terminated if they don’t follow through with their internal control responsibilities.