Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or less mature organizations, this can be a potential hindrance in moving forward with a SOC 2. However, is a formal board of directors absolutely required to successfully address this criteria for a SOC 2 examination? Are other forms of governance sufficient? The purpose of this post is to examine this requirement in relation to a SOC 2 report and its application for organizations where a board of directors is not required or is not feasible or even unwarranted based on the nature of their entity.
What is a Board of Directors?
In the traditional sense (i.e. in relation to a corporation), a board of directors is a group of individuals, elected by shareholders, who form the governing body of the company and oversee management and the strategic direction of the organization. The board typically consists of internal executives as well as outside directors who are not employed or engaged with the organization. The board of directors makes decisions on behalf of the company and its shareholders.
When is a Board of Directors Required?
Certain organizations, such as public companies and S and C corporations, are legally required to have a board of directors in place. This is further defined by state laws. The board composition, and roles and responsibilities are addressed in articles of incorporation, bylaws, and/or company charters. As such, public companies and corporations are well-positioned to satisfy requirements related to governance performed by the board of directors. However, limited liability companies (LLCs) and sole proprietorships, for example, are not required to have a board of directors. These organizations may elect to have a board of directors, but some may find it too costly or unnecessary to form a board of directors with independent board members.
What is the SOC 2 Requirement for a Board of Directors?
As set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, CC1.2 states:
“The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. The following points of focus, specified in the COSO framework, highlight important characteristics relating to this criterion:
- Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
- Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
- Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.”
As stated, the criteria require that a board of directors be in place to provide adequate supervision and oversight of the organization. There appears to be little wiggle room when contemplating the need for a board of directors when engaging in a SOC 2 examination. However, the characteristics called out in the points of focus are not exclusive to a board of directors. A management team, or even an owner-manager, depending on the complexity of the organization, could fulfill the characteristics noted above. It seems reasonable that other forms of governance, depending on the nature of the entity, could provide adequate oversight where a board of directors is not in place.
Are There Alternatives to a Board of Directors?
Per TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, the AICPA offers a broader definition of a board of directors:
“Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.”
Based on the definition provided by the AICPA as noted above, those with responsibility for overseeing the entity are not confined to the traditional board of directors model. Rather, the AICPA recognizes that different forms of governance, depending on the nature of the entity, may be sufficient for the organization to achieve its services commitments and system requirements. So, yes, different forms of governance, depending on the nature of the entity, may be sufficient as an alternative to a board of directors
For example, for a less complex organization with fewer personnel, a service auditor may conclude that a senior management team or executive committee provides sufficient oversight of the company and that the achievement of the service commitments and system requirements is not impacted by the lack of a formal board of directors. In such an environment, management likely participates heavily in the supervision and reviews of key controls thus providing oversight of internal controls. They would be influential in the organization’s commitment to ethical and legal conduct and would also be involved in the recruitment and evaluation of employees and consultants to ensure adequate knowledge and expertise are present. In addition, management teams in this setting generally possess adequate competence and knowledge of the organization and its processes to provide adequate oversight without overreliance on others within the organization.
In response to the question, “Is a board of directors required to satisfy certain criteria for a SOC 2 examination?”, the answer is yes, if based strictly on the wording of CC1.2. However, as the AICPA has clarified, the board of directors, or those responsible for overseeing the organization, can take on different forms depending on the nature of the entity. It is important to note that it is the service auditor’s responsibility to evaluate whether the service organization’s governance model is adequately designed to address the applicable trust service criteria for a SOC 2. The service auditor will consider the nature and complexity of the organization, as well as the risks impacting the organization, in their assessment.
Please contact us at Linford & Company if you would like more information regarding SOC reports. Our team of IT audit professionals complete Type I and Type II, SOC 1 audit reports, and SOC 2 audit reports on behalf of service organizations located around the world. We are available to answer questions you may have regarding SOC compliance requirements and your auditing needs.
Kevin has over ten years of experience in internal controls, audit, and advisory work. Kevin started his career in public accounting at Deloitte focusing on internal controls, SOC audits, and IT assurance work. After Deloitte, Kevin filled a leadership role in the SOX Compliance group at a financial services company. Kevin is a CPA and holds a Bachelor of Science degree in Accounting from Brigham Young University and a Master of Business Administration degree from Ohio University.