Common Criteria 5.1
When an organization undergoes a SOC 2 audit, auditors need to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 5.1 says, “The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” What will an auditor look for when assessing this criterion? What do organizations need to do to show how they are implementing internal controls? Let’s discuss.
Implementing Internal Controls to Mitigate Risk
When an auditor assesses an organization’s compliance with common criteria 5.1 during a SOC 2 audit, they will want to see that the organization has implemented internal controls that assist them in accomplishing their business objectives. But how can organizations demonstrate this? While common criteria 5.1 is a bit ambiguous, it is intended to be broad in order to allow organizations to implement the internal controls that work best for their organization and the goals they need to meet. To demonstrate compliance, an auditor will want organizations to show that they do the following when implementing internal controls to mitigate risks:
- Integrate with the risk assessment – Are the internal controls effectively mitigating the risks identified in the risk assessment?
- Consider entity-specific factors – How does the environment, complexity, nature, and scope of an organization affect the selection and development of the internal controls?
- Determine relevant business processes – What relevant business processes require internal controls?
- Evaluate a mix of control activity types – What mix of controls will best mitigate the risks identified?
- Consider at what level activities are applied – What level in the organization are internal controls needed?
- Address segregation of duties – What does management do to segregate incompatible duties or develop alternative internal controls?
Selecting and Developing Internal Controls
Common criteria 5.1 is all about choosing the right internal controls for your organization, implementing internal controls, and making sure the variety of controls chosen is the right mix so that risk can be reduced altogether. Let’s use physical security as an example. If an organization needs to implement internal controls to mitigate the risk of an unauthorized person entering sensitive areas of an office building, what would those look like? An organization wouldn’t use one internal control to mitigate this risk. Instead, a mix of control activity types would be necessary. This might include a locked front door, a receptionist or security guard, video cameras, access cards, and other individuals throughout the building who would be able to notify the proper personnel if an unauthorized person was on the property. By choosing this variety of controls, an unauthorized person would be far less likely to access a sensitive area than if only one of those internal controls was in place.
More SOC 2 Resources
You may look at common criteria 5.1 in the SOC 2 Trust Services Criteria and wonder what exactly we’re getting at with it. Common criteria 5.1 is very broad in its intent. It says that the organization selects controls that are designed to mitigate risk. What does that mean exactly? You should put controls into place that help you accomplish what it is that you want to accomplish. I think that we do this naturally. You really want to select controls that will be a mixture of different types of controls to make sure that what you’re expecting as an end result actually occurs. I’ll use physical security as an example. If you’re concerned about unauthorized people getting into a sensitive area, such as a server room or data center, you will very naturally select a variety of controls. You won’t just have one control that you pin your hopes on; you’ll make sure that you have a locked front door, a person sitting at the front who is responsible for monitoring who comes in or out, video cameras, access cards, and other individuals who work inside the building who would be able to recognize if something is wrong if a visitor accesses secure areas. There are multiple controls happening there and any one of them could potentially stop a person from entering the sensitive area. Common criteria 5.1 is all about thinking about your controls, making sure you have the right mix of controls, and making sure that your ultimate goal is met, which is reducing risk.