Understanding Your SOC 1 Report: The 5 Components of Internal Control

by Joseph Kirkpatrick / March 20th, 2018

What are the Components of Internal Control (CRIME)?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. It’s one of the most common models used to design, implement, maintain, and evaluate internal control. To have an effective system of internal control, the COSO framework requires that service organizations have the defined components of internal control present, functioning, and supporting business and internal control objectives. Control environment, risk assessment, information and communication, monitoring, and existing control activities make up the five components of internal control, known by the acronym of CRIME.

What are the components of CRIME and what do they mean for your organization?

  1. Control Environment: The first component of internal control is control environment. A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values. Is management committed to an effective system of internal control? Is there some type of team committed to internal auditing or compliance? How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness?
  1. Risk Assessment: Risk assessment is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control. Does the organization know where assets live? Does the organization assess risks that are a threat to the achievement of internal control objectives? Are controls fully understood? Are there tests performed to assess of control?
  1. Information and Communication: Quality information and effective communication among a service organization can impact meeting internal control objectives. When there’s a system change, how does management communicate that to internal employees and/or external users? What is the effectiveness of that communication?
  1. Monitoring: How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action?
  1. Existing Control Activities: The final component of internal control is existing control activities. This is the largest component, as it provides the details about the controls that you’ve put into place to meet your internal control objectives. Does the organization have documented policies and procedures? Is there a business continuity plan? Is there a change management program?

The five components of internal control function together to create an effective system of internal control. You must have a control environment to create a compliance culture within your organization. Once you have management’s support and influence, you can create a risk assessment process that identifies and manages risks that threaten the achievement of internal control objectives. You can then implement control activities that meet your internal control objectives and use effective communication to implement these processes throughout your organization. An ongoing monitoring program will keep your organization focused on meeting internal control objectives.

To learn more about how to implement the five components of internal control at your organization, contact us today.

In order to complete your SSAE 16 (recently updated to SSAE 18), you must have the five components of internal control present and functioning. These components are known by the acronym of CRIME. The first component is a control environment. How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness? The second component is risk assessment. Does the organization assess risks that are a threat to the achievement of your control objectives? The third component is information and communication. How does management communicate to your internal employees and your external users of your controls about any system changes or anything that might affect the use of the system that the service organization is offering. The fourth component is monitoring. How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action? The fifth component is existing control activities. This section of the SSAE 16 (recently updated to SSAE 18) is the largest, as it provides the detail about the controls that you’ve put into place to meet your control objectives.