I once attended a training where the class was broken out into small groups, and each group was tasked with assembling an elaborate box of blocks and accessories in a precise order to create a motorcycle. However, for this exercise, the instructions were removed from the box and the moderator did not provide any guidance or checkpoints along the way to correct any errors or monitor progress. As you can imagine, the results were all over the board. While some groups were able to assemble something with two wheels that moved, nobody came close to creating the masterpiece that was shown on the box. We all agreed that the results would have been different had we been provided instructions and given some checkpoints along the way. We just didn’t have the information needed to complete the task correctly.
Similarly, businesses can run into the same issue when information is not available or disseminated to the appropriate parties to help them understand their responsibilities or carry out tasks. As part of a SOC 2 examination, organizations will need to demonstrate that they have controls in place related to the gathering of information and communicating information to internal and external parties, specifically as it relates to the functioning of internal control.
What Is Information & Communication?
In terms of the illustration noted above, information is the instructions and checkpoints that provide information on how to complete the task. Communication is the means used to convey that information to the relevant parties. In the context of a SOC 2, information is the instructions, guidance, and data that enable personnel to understand and perform their responsibilities as it relates to internal control. Communication is how that information is communicated to users, such as through policies, training, agreements, etc.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), per the COSO Internal Control–Integrated Framework Executive Summary, includes this statement on information and communication:
“Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives…Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity…External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.”
How Does Information & Communication Relate To Internal Control?
The five components of internal control, based on COSO’s Integrated Framework are as follows:
- Control environment
- Risk assessment
- Control activities
- Information & communication
- Monitoring activities
The Framework includes principles for each of the components which, if applied, can help organizations achieve effective internal control. The 17 principles from the COSO Framework, which include information and communication, are included or aligned with the Trust Services Criteria.
What Are The Trust Services Criteria?
The Trust Services Criteria include the following five areas:
The criteria related to information and communication are included in the security criteria. Security covers the common criteria and is required for every SOC 2 examination. A SOC 2 report cannot contain the other criteria without including security. As a result, information and communication controls and procedures must be evaluated as part of any SOC 2 examination.
What Are The Information And Communication Criteria For A SOC 2?
The Information and Communication criteria (from the AICPA, listed here and in sections below), which align with principles 13, 14, &15 from the COSO Framework, are as follows:
- CC2.1/COSO Principle 13: “The entity obtains or generates and uses relevant, quality information to support the function of internal control.”
- CC2.2/COSO Principle 14: “The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control”.
- CC2.3/COSO Principle 15: “The entity communicates with external parties regarding matters affecting the functioning of internal control.”
The criteria or principles cover three different activities: information gathering, internal communication, and external communication. These criteria need to be satisfied through controls and procedures implemented by the service organization.
What Controls Are Needed To Meet The Criteria For Information And Communication?
The AICPA has provided points of focus for each criteria or principle that can guide organizations while implementing controls to address the criteria. There are more than 30 points of focus related to the information and communication criteria. A summary of the points of focus and some example controls/procedures that could be used to address the criteria for information and communication are noted below.
Criteria CC2.1
“The entity obtains or generates and uses relevant, quality information to support the function of internal control.”
The points of focus for this area cover the following:
- Identify information requirements.
- Implement mechanisms to capture and process relevant data.
- Classify information.
- Document data flows.
- Identify and manage assets such as infrastructure, software, and other information assets.
Example Controls:
- Use monitoring tools to identify and alert responsible parties of system issues, errors, vulnerabilities, and threats.
- Create and maintain system and network diagrams, and data flow diagrams.
- Implement a data classification policy.
- Create and maintain an inventory, including location, of information system assets.
Criteria CC2.2
“The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
The points of focus for this area cover the following:
- Communicate internal control and responsibilities and objectives, including changes in responsibilities and objectives, to personnel.
- Provide information on how to report systems failures, incidents, and concerns.
- Communicate with the board of directors.
- Communicate system changes.
- Provide separate communication lines, such as whistleblower hotlines.
- Communicate information to improve security knowledge and awareness, including privacy matters where applicable.
Example Controls:
- Implement company policies and make them available to personnel. Policies should cover the following, although this is not an exhaustive list:
- Information security
- Code of conduct
- Acceptable use
- Risk management
- Vendor risk management
- Incident response plan
- Change management
- Access control
- Data retention
- Business continuity and disaster recovery
- Data backup
- Vulnerability management
- Encryption and key management
- Conduct annual security awareness training for all personnel
- Institute a whistleblower hotline or other means for anonymous or confidential communication.
- Document and retain meeting minutes of board meetings.
- Provide personnel with various reporting channels and information on how to report issues.
- Implement a mechanism to alert personnel of system changes.
Criteria CC2.3
“The entity communicates with external parties regarding matters affecting the functioning of internal control.”
The points of focus for this area cover the following:
- Communicate information about the design and operations of systems, system boundaries, objectives and responsibilities, and system changes to external users.
- Enable inbound communication and provide information on how to report systems failures, incidents, and concerns.
- Communicate results of third-party assessments with the board of directors.
- Provide separate communication lines, such as whistleblower hotlines.
Example Controls:
- Create terms and conditions, a privacy policy, master service agreements, etc. that communicate responsibilities and expectations to external users.
- Similar procedures as noted above for internal communication but with a focus on external parties.
Summary
Information and communication are important components for organizations to consider as the absence of either one can create results or actions that are not desirable, or not in line with expectations. It can even lead to internal control failures. As it relates to a SOC 2 report, organizations, in order to satisfy the criteria, must consider and implement controls related to information and communication. Details have been provided on what information and communication is, its linkage to a SOC 2 report, and requirements. Examples have also been provided that can assist you as you begin evaluating your controls related to this area. I hope this article helps you understand the information and communication criteria and assists you as you prepare for your own SOC 2 examination.
Linford & Company has a team of audit professionals that have assisted clients in identifying gaps in controls and procedures relevant to the trust services criteria, as well as preparing for SOC 2 examinations. These services are available to all clients as part of the readiness assessment.
If you would like guidance regarding your upcoming attestation, or would like to learn more about our many audit services, please contact us.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.