SOC 2 Academy: Who is Monitoring Internal Controls?

by Joseph Kirkpatrick / January 18th, 2019

Establishing methods of effective monitoring is a critical component of SOC 2 compliance. During a SOC 2 audit, an auditor will not only assess whether or not an organization is effectively monitoring their internal controls but also whether or not the proper person is monitoring those internal controls. Why is that? It comes down to the need for checks and balances, so let’s discuss.

Monitoring Internal Controls

When deciding who should be monitoring internal controls, the person selected needs to be someone who is outside of the environment and is not responsible for the internal control. For example, if a network administrator is responsible for ensuring that an internal control over the network they created is functioning correctly, that network administrator could miss critical vulnerabilities because they are working closely with the network on a regular basis. Similarly, having the person who is responsible for the control also monitoring the internal control could pose a potential opportunity for an employee to commit fraudulent behavior.

During the SOC 2 audit process, an auditor will verify that the correct personnel are tasked with monitoring internal controls. Auditors will want to see that organizations are conducting valid, accurate, and above-board evaluations of internal control, and organizations can do this by tasking the correct personnel with oversight. Think of it this way: why do organizations seek out third-party audit firms to conduct audits instead of solely relying on their internal audit team? For organizations who are serious about strengthening their security posture, using third-party audit firms helps them identify and mitigate vulnerabilities that otherwise may have been missed by their internal audit department. This is exactly what happens if a person who has created a network or system component is also responsible for monitoring it. To ensure the continuity of organizations’ security postures, it’s critical that the correct person is monitoring the internal controls.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When we talk about monitoring internal control, it’s very important to ask the question: is the right person monitoring the right thing? For example, if you have an IT function and the only person who is monitoring that IT function is the IT person who implemented it in the first place, then that isn’t a proper way to monitor that control. You have to have some method of evaluating the control and environment that is outside of the one person who is responsible for it. Penetration testing is a great example of this. A lot of times we find that the person who configured and implemented the system is also the person who hires, selects, and monitors the results of the penetration test, but you should ideally keep that separate so that you can have a valid, accurate, and above-board evaluation of a system when you choose to engage in a monitoring activity, such as penetration testing.