Common Criteria 4.2
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 4.2 says, “The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” What will an auditor look for when assessing this criterion? What do organizations need to do to comply with this requirement? Let’s discuss.
Communication is Key
Common criteria 2.2 and 2.3 explain the importance of communication during a SOC 2 audit, but common criteria 4.2 takes it a step further. While organizations need to establish clear and effective methods of two-way communication both internally and externally, they also need to establish processes that emphasize the importance of communicating in a timely manner. Critical vulnerabilities could be missed, breach notifications could be delayed, and clients could be put even more at risk if an organization fails to communicate in a timely manner. Because of this, during a SOC 2 audit, an auditor will want to verify that there are established channels for communication so that all parties are able to relay information in a timely manner and are working together to ensure that the internal controls are in place and operating effectively.
Consider it this way: if IT personnel noticed a vulnerability in the network, what processes are in place so that the employee can notify the correct people to mitigate the problem in a timely manner? Is there a chain of command the employee would have to go through? Would they need to contact the person responsible for taking corrective action directly? If an organization’s employees aren’t aware of how to notify their supervisors of internal control deficiencies in a timely manner, an organization could face reputational, organization, and financial damages.
When making the journey toward SOC 2 compliance, it is important that organizations demonstrate that they have the processes in place to ensure the proper functioning of their internal controls, which includes communicating effectively about internal control deficiencies. Before beginning a SOC 2 audit, make sure that your management is assessing the results of evaluations over internal controls, communicating with personnel in a timely manner about internal control deficiencies, and monitoring the corrective action plan so that your organization complies with common criteria 4.2.
More SOC 2 Resources
The SOC 2 common criteria 4.2 says that your entity has to evaluate and communicate internal control deficiencies in a timely manner. The first step to do this is actually knowing that there is a deficiency. How will you be able to identify that those deficiencies are there so that you can communicate about them in a timely manner? These are things that you have to consider as you design your controls. You’ll also need to ask yourself: does management get their information that they need in a timely way? I remember one time when we identified that the log management server had been turned off at an organization for over six months, but management had no idea. They did not know that the server had been turned off, which indicated to us that the reporting of that particular control and the results and output that came out of that control was not being reported on a regular basis to management, so when it stopped reporting, they weren’t aware and couldn’t deal with it in a timely manner. Being able to communicate about deficiencies, identify them, and having corrective actions is very important. You want to have the type of people who work for you that will tell you about a problem as soon as it’s identified, so that you can deal with it and correct it. Furthermore, you would really like to have the type of people that work for you who will not only tell you about the problem but bring you the corrective action. For example, an employee saying, “The log server went down today, but here’s what we can do to fix it. I am just keeping you informed.” That would be the most ideal way to comply with common criteria 4.2.