How the COSO Principles & SOC 2 Trust Services Criteria Align

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework and the AICPA Trust Services Criteria are two control frameworks that are used to assess and improve the effectiveness of internal controls. While the COSO Principles are more general in nature, the AICPA Trust Services Criteria are more specific to outsourced service providers offering software as a service (SaaS) systems or other outsourced activities. Both control frameworks can be used to identify and mitigate risks and improve the overall quality of internal controls.

In 2013, COSO enhanced its internal control framework that explicitly describes the elements of an effective system of internal controls. The COSO framework has been widely adopted globally by a large number of organizations. This internal control framework is made up of five COSO components and 17 COSO principles that are used by many organizations to comply with the requirements of the Sarbanes-Oxley Act (SOX).

Additionally, the COSO 2013 internal control framework aligns with the Trust Services Criteria that is common to all system and organization controls (SOC 2) reports that are utilized by service organizations to provide user entities with information related to their control environment over the services provided that help support the achievement of their service commitments and system requirements. The internationally accepted COSO framework is made part of the common criteria in the AICPA Trust Services Criteria relevant to security.

In my personal experience working in the industry with a company implementing the COSO Internal Control-Integrated framework, the performance of a risk assessment which had never been done across the company at a detailed level before was instrumental in pinpointing numerous risks around inventory shrinkage. After controls were designed and implemented to mitigate the risks identified, revenues increased substantially. Adopting an internal control framework mitigates risk and adds value to the bottom line. Effective internal controls are good for business.

How Does the Trust Services Criteria Incorporate the COSO Principles?

The COSO Principles and the AICPA Trust Services Criteria are aligned in several ways. For example, both control frameworks:

• Emphasize the importance of a strong control environment.
• Require organizations to identify and assess risks.
• Require organizations to put in place control activities to mitigate risks.
• Require organizations to communicate information about internal controls to relevant stakeholders.
• Require organizations to monitor the effectiveness of internal controls.

However, there are also some key differences between the two control frameworks. For example, the COSO principles are more general in nature to meet the company needs in a diverse number of industries, while the AICPA Trust Services Criteria are more specific to service organizations. Additionally, the COSO Principles focus on the internal control system as a whole, while the AICPA Trust Services Criteria additionally focuses on specific control criteria that help a service organization achieve its service commitments and system requirements.

The COSO principles in the internal control framework refer to the elements that must be in place for the entity’s internal control structure to be considered effective. While not all of the COSO points of focus need to be met, controls need to adequately meet the five COSO components and 17 COSO principles to achieve an effective overall system of internal control at the entity as a whole. The COSO five components along with the 17 principles that are also considered in the common criteria within the Trust Services Criteria relevant to security are described next along with some practical controls to meet the requirements.

The five COSO components along with their associated 17 COSO principles are aligned below in the order of the AICPA Trust Services Criteria for SOC 2 examinations.

 

Common Criteria 1 – Control Environment

The principles listed below have been sourced directly from COSO.org.

• COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
• COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
• COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
• COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
• COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

The COSO control environment component is the set of standards, values, and attitudes that influence the control consciousness of an organization. The control environment is the foundation upon which all the other components are built. Its purpose is to set the policy, procedures, expectations, and strategies across the entity.

The tone at the top is set within the control environment that exercises the integrity and ethical values seen across the entity. It empowers management to govern and oversee the achievement of the entity’s objectives through competent talent. Performance is measured and incentives help to drive accountability for the achievement of objectives.

A sampling of controls noted below helps to achieve a strong control environment.

• The entity has established a code of conduct that is acknowledged by its employees.
• A board of directors or senior leadership team meets regularly to discuss internal controls, operations, risks, and strategies.
• The entity has established a reporting structure, authorities, and responsibilities across the organization through job descriptions and an organization chart.
• Competent individuals are hired for roles within the organization and background checks are performed.
• Performance reviews are conducted at least annually.

 

Common Criteria 2 – Information & Communication

The principles listed below have been sourced directly from COSO.org.

• COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
• COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
• COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

Information and communication are the processes by which information is collected, communicated, and used to manage risks. Communication is an iterative process that goes both ways to share information internally and externally as appropriate.

Internal communication shares information up, down, and across the entity to help carry out responsibilities, guide direction, and set expectations.

External communication provides valuable information and establishes boundaries, responsibilities, requirements, and expectations.

A sample of controls noted below helps to achieve effective information and communication.

• Policies and procedures are made available to all employees across the organization.
• Periodic training and acknowledgment on matters important to the organization is conducted, such as information security awareness.
• The entity has established mechanisms for communicating incidents, failures, concerns, and other matters with internal and external parties.
• Service agreements with external parties provide the responsibilities, boundaries, confidentiality, and service levels to set expectations.
• Entity communicates system changes internally and externally as appropriate.

 

Common Criteria 3 – Risk Assessment

The principles listed below have been sourced directly from COSO.org.

• COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
• COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
• COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
• COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.

Risk assessment is the process of identifying, assessing, and mitigating risks to the achievement of objectives. The COSO risk assessment component is important because every entity is faced with risks both internal and external that threaten the achievement of their objectives. Risks continue to change as the environment and other factors change. As such, identifying and assessing risk to the achievement of the entity’s objectives is a dynamic and iterative process.

Evaluating the severity of the risk event is based on the likelihood of occurrence and potential impact on the business. The potential for fraud, third-party risks, and company changes impacting internal controls should be considered within the risk assessment.

A sample of controls noted below helps to achieve the objectives for the risk assessment component.

• A risk management policy exists to guide the organization in assessing and managing risks that threaten the achievement of the entity’s objectives.
• The entity maintains a risk register that is updated at least annually or more frequently as needed depending upon changes in the entity’s operations or technology environment.
• Management across the organization participates in the risk assessment.
• Action plans are developed and tracked to mitigate residual risks that are above the entity’s risk tolerance.
• Third-party and fraud risks are considered in the risk assessment.

 

Common Criteria 4 – Monitoring Activities

The principles listed below have been sourced directly from COSO.org.

• COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
• COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Monitoring is the process of evaluating the effectiveness of internal controls and making necessary adjustments to improve the internal control posture. Monitoring activities evaluate and assess the entity’s system of internal control to ascertain whether controls are operating effectively. Corrective actions are considered if deviations or deficiencies are identified.

A sampling of controls to meet the monitoring activities objectives follows.

• The entity independently monitors and evaluates control activities to determine that controls are operating effectively to adequately support service commitments and system requirements.
• Management communicates with those responsible for taking action when deficiencies are known.
• Corrective action plans are developed to remediate control deficiencies, reduce risk, and modify control activities so that they operate effectively.

 

Common Criteria 5 – Control Activities

The principles listed below have been sourced directly from COSO.org.

• COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
• COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.
• COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

COSO control activities are supported by the policies and procedures that are put in place to mitigate risks. Control activities are the actions established by the entity through its policies, procedures, and processes that work in conjunction with each other to mitigate risks, maintain strong internal controls, and achieve the entity’s objectives.

Entities continually fine-tune their control activities related to the design and implementation of controls to make them more effective and efficient over time. These control activities are performed throughout all levels of the organization and incorporate the technology environment.

Control activities may be preventative or detective and automated or manual. A mix of control types is best to ensure adequate coverage for the achievement of objectives.

While control activities are further broken out into logical and physical access controls (CC6), system operations (CC7), change management (CC8), and risk mitigation (CC9), a small sampling of controls that helps to meet the control activities component are noted below.

• Policies and procedures are developed, periodically reviewed, and updated as needed.
• Entity establishes appropriate segregation of duties.
• System access is restricted to authorized individuals commensurate with their job responsibilities.
• Incidents are tracked, addressed, and resolved in a timely manner.
• Changes to infrastructure, applications, and data are authorized, tested, and approved prior to deployment to production.
• Backups are regularly performed and stored offsite.

Frequently Asked Questions About COSO and the Trust Services Criteria

Some of the more commonly asked questions we receive from clients when it comes to COSO and the Trust Services Criteria are as follows.

What Does COSO Stand For?

COSO stands for the Committee of Sponsoring Organizations.

What Is the COSO Framework?

The COSO framework is an internationally known internal control framework for companies in various industries.

What Are the Five Components of COSO?

The five components of COSO are:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities

What is COSO in SOC 2?

The five COSO components are included as part of the common criteria for the AICPA Trust Services Criteria relevant to security which is part of every SOC 2 report issued.

How Many COSO Principles Are There in SOC 2?

All 17 principles under the five COSO components are included within the common criteria that is part of the AICPA Trust Services Criteria relevant to security and part of every SOC 2 report issued.

What Are the Five Trust Services Criteria For SOC 2?

The five AICPA Trust Services Criteria are:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

What Principle Must Always Be Included in a SOC 2 Report?

The security criteria, also known as the common criteria, includes the COSO five components and 17 principles and must always be included with all SOC 2 reports issued.

Summary

The COSO Internal Control-Integrated Framework and the AICPA Trust Services Criteria are two valuable frameworks that can be used to assess and improve the effectiveness of internal controls. Organizations can evaluate the current state of their internal control system and develop a plan for correcting any weaknesses. While there are some key differences between the two frameworks, they are also aligned in several ways. Organizations can use both frameworks to identify and mitigate risks and improve the overall quality of their internal controls.

Aligning the AICPA Trust Services Criteria with the 2013 COSO framework is a logical way to apply foundational internal controls at an entity as a whole because the 2013 COSO framework is a widely used and accepted internal control framework.

The five components and 17 principles of COSO are made part of the common criteria under the AICPA Trust Services Criteria for all SOC 2 reports.

Effectively designing and operating internal controls help support the achievement of the service organization’s service commitments and system requirements over the services provided to its user entities. A service organization having a SOC 2 report has a competitive advantage because the service organization can gain trust by providing the report to customers and potential customers that shows how its controls are designed and operating effectively to meet the SOC 2 requirements for the applicable criteria.

If you would like more information, contact us at Linford & Company and we will help you with your SOC reporting needs. Our team of IT professionals complete SOC 1 audits (f. SAS 70 / SSAE 16) and SOC 2 audits on behalf of many service organizations around the world.

This article was originally published on 4/10/2019 and was updated on 3/27/2024.