In 2013, the Committee of Sponsoring Organizations of the Treadway Commission, better known as COSO, enhanced their internal control framework that has been widely adopted globally by a large number of organizations. This internal control framework is made up of five COSO components and 17 COSO principles that is used by many organizations to comply with the requirements of the Sarbanes-Oxley Act (SOX).
Additionally, the COSO 2013 internal control framework aligns with the Trust Services Criteria that is common to all system and organization controls (SOC 2) reports that are utilized by service organizations to provide user entities with information related to their control environment over the services that are provided that help support the achievement of their service commitments and system requirements.
These principles in the internal control framework refer to the elements that must be in place for the entity’s internal control structure to be considered effective. While not all of the points of focus need to be met, controls need to adequately meet the five COSO components and 17 COSO principles to achieve an effective overall system of internal control at the entity as a whole. The COSO five components along with the 17 principles that align with the Trust Services Criteria will be described along with some practical controls to meet the objectives.
The order of the five COSO Components along with their associated 17 COSO principles is aligned below in the order of the Trust Services Criteria for SOC 2 examinations.
CC1 Control Environment
- COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
- COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
- COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- COSO Principle 4: The entity demonstrates a commitment to attract , develop, and retain competent individuals in alignment with objectives.
- COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
The control environment is the foundation with which all the other components are built upon. Its purpose is to set the policy, procedures, expectations, and strategies across the entity.
The tone at the top is set within the control environment that exercises the integrity and ethical values seen across the entity. It empowers management to govern and oversee the achievement of the entity’s objectives through competent talent. Performance is measured and incentives help to drive accountability for the achievement of objectives.
A sampling of controls noted below help to achieve a strong control environment.
- The entity has established a code of conduct that is acknowledged by its employees.
- A board of directors or senior leadership team meet regularly to discuss internal controls, operations, risks, and strategies.
- The entity has established a reporting structure, authorities, and responsibilities across the organization through job descriptions and an organization chart.
- Competent individuals are hired for roles within the organization and background checks are performed.
- Performance reviews are conducted at least annually.
CC2 Communication and Information
- COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
- COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
- COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
Communication is an iterative process that goes both ways to share information internally and externally as appropriate.
Internal communication shares information up, down, and across the entity to help carry out responsibilities, guide direction, and set expectations.
External communication provides valuable information, establishes boundaries, responsibilities, requirements, and expectations.
A sample of controls noted below help to achieve effective communication and information.
- Policies and procedures are made available to all employees across the organization.
- Periodic training and acknowledgement on matters important to the organization is conducted, such as, information security awareness.
- Entity has established mechanisms for communicating incidents, failures, concerns, and other matters with internal and external parties.
- Master Service Agreements with external parties provide the responsibilities, boundaries, confidentiality, and service levels to set expectations.
- Entity communicates system changes internally and externally as appropriate.
CC3 Risk Assessment
- COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
The risk assessment component is important because every entity is faced with risks both internal and external that threaten the achievement of their objectives. Risks continue to change as the environment and other factors change. As such, identifying and assessing risk to the achievement of the entity’s objectives is a dynamic and iterative process.
Evaluating the severity of the risk event is based upon the likelihood of occurrence and impact to the business. The potential for fraud and vendor risks should be considered within the risk assessment.
A sample of controls noted below help to achieve the objectives for the risk assessment component.
- A risk management policy exists to guide the organization on assessing and managing risks that threaten the achievement of the entity’s objectives.
- Entity maintains a risk register that is updated at least annually or more frequently as needed depending upon changes in the entity’s operations or technology environment.
- Management across the organization participates in the risk assessment.
- Action plans are developed and tracked to mitigate residual risks that are above the entity’s risk tolerance.
- Vendor and fraud risks are considered in the risk assessment.
CC4 Monitoring Activities
- COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Monitoring activities evaluate and assess the entity’s system of internal control to ascertain whether objectives are being accomplished. Corrective actions are considered if deviations or deficiencies are identified.
A sampling of controls to meet the monitoring activities objectives follow.
- The entity monitors key activities and alerts are generated when those activities are outside normal tolerances.
- Alerts are generated to those responsible for taking action.
- Action plans are developed to mitigate deficiencies and take corrective action to return key activities within normal tolerances.
- A third-party independent SOC 2 audit is conducted annually.
CC5 Control Activities
- COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.
- COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.
Control activities are the actions established by the entity through their policies, procedures, and processes that work in conjunction with each other to achieve the entity’s objectives.
Entities continue to fine-tune their control activities to make them more effective and efficient over time. These control activities are performed throughout all levels of the organization and incorporate the technology environment.
Control activities may be preventative or detective and automated or manual. A mix of control types is best to ensure adequate coverage over the achievement of objectives.
While control activities are further broken out into logical and physical access controls (CC6), system operations (CC7), change management (CC8), and risk mitigation (CC9), a small sampling of controls that help to meet the control activities component are noted below.
- Policies and procedures are developed, periodically reviewed and updated for current changes as needed.
- Entity establishes appropriate segregation of duties.
- System access is restricted to authorized individuals commensurate with their job responsibilities.
- Incidents are tracked, addressed, and resolved in a timely manner.
- Changes to infrastructure, applications, and data are authorized, tested, and approved prior to deployment.
- Backups are regularly performed and stored offsite.
Aligning the Trust Services Criteria with COSO 2013 was a logical way to apply internal controls at an entity as a whole because of the widely used and accepted internal control framework.
The five components and 17 principles of COSO are made part of the common criteria under the Trust Services Criteria for all SOC 2 reports.
Effectively designing and operating internal controls at an entity level help support the achievement of the entity’s service commitments and system requirements provided to user entities.
If you would like more information, contact us at Linford & Company and we will help you with your SOC reporting needs. Our team of IT professionals complete SOC 1 audit reports (f. SAS 70 / SSAE 16) and SOC 2 audit reports on behalf of many service organizations around the world.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.