Common Criteria 2.1
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 2.1 states, “The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.” Let’s discuss why it’s important that service organizations demonstrate that they are making informed decisions during their SOC 2 audit.
Making Informed Decisions
How can an organization’s management implement or make changes to their internal controls without accurate resources and information? What would be the impact to the integrity of internal controls if management relied on inaccurate information? During a SOC 2 audit, an auditor will assess whether an organization’s management utilizes resources that provide them with accurate and timely information to ensure that internal controls are in place and functioning properly. Such information assists management in making the day-to-day decisions that allows an organization to run efficiently. Without it, vulnerabilities could be missed, and breaches would be more likely to occur. So, how can management ensure that they are making informed decisions?
Weekly management meetings are a great place to start. Having a dedicated time each week where an organization’s department heads come together with reports from their respective departments, discuss their findings, and come up with solutions collectively helps ensure that an organization’s management team is making informed decisions. In order for the department heads to come up with such reports, though, each department must have an understanding of what information is needed to help management make informed decisions about the functionality of those internal controls. For example, if your Chief Technology Officer needs to make a decision about the internal controls relating to the physical security of a building, what information do they need? Who would give it to them? These kinds of processes must be implemented and maintained so that management has the ability to make informed decisions.
More SOC 2 Resources
How does your organization obtain and use relevant and quality information to make the day-to-day decisions that you need to in order to make sure your organization is effectively running? Common criteria 2.1 (CC2.1) of the SOC 2 Trust Services Criteria speaks exactly to how you find these sources of information and use them in the day-to-day decisions that management needs to make. For example, you might have weekly management meetings, or you might receive reports from different department heads that might give you statistics and results that you can then use as a whole in order to make those decisions and find areas that need to be corrected or areas that are performing as you expected.