You just received the draft SOC 1 or SOC 2 report from your auditor and as you’re scrolling through the opinion, you notice a reference to “Inherent Limitations.” Inherent Limitations? Is your SOC report suggesting your controls are inadequate?
Your auditor is not telling the world you have weak controls; however, every auditor opinion will reference the inherent limitations of internal controls, generally stated like this:
“Because of their nature, controls may not always operate effectively to provide reasonable assurance that the service organization’s service commitments and system requirements are achieved based on the applicable trust services criteria. Also, the projection to the future of any conclusions about the suitability of the design and operating effectiveness of controls is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate.” For additional guidance, refer to this helpful resource from the AICPA.
What are Internal Controls?
If you’re reading this, chances are you already know what an internal control is. As we’ve previously discussed on another blog post, “internal controls (which include manual, IT-dependent manual, IT general, and application controls) are essential process steps that allow for one to determine or confirm whether certain requirements are being done per a certain expectation, law, or policy. Additionally, internal controls allow auditors to perform tests to gain assurance that a process is designed and operating properly.” Any compliance framework (SOX, SOC1, SOC2, PCI, HITRUST, etc.) requires the auditee to establish a set of internal controls that an auditor can test to demonstrate compliance with the framework.
Why Do Internal Controls Have Inherent Limitations?
Internal controls are inherently limited for many reasons. One, controls are assessed over a period of time, but are not necessarily indicative of a future period of time. Two, auditors are unable to obtain absolute assurance with respect to your internal controls because of factors such as the need for judgment, the use of sampling, etc. Much of the evidence made available to the auditor is persuasive rather than conclusive in nature. Finally, there is a risk of material omissions or errors made by the auditor or auditee.
What are the Inherent Limitations of Internal Control?
The most common inherent limitations of internal control can be summarized into 5 categories:
- Collusion – the risk that two or more employees could act together to undermine the functioning of an internal control. An example of this is a scenario where two engineers work together to facilitate the approval and release of an erroneous or malicious system change. The system change will appear to have followed the SDLC process, but the malicious intent may not be discovered until after the fact.
- Management Override – the risk that certain individuals have the authority to authorize an exception to an internal control. For example, the Chief Information Security Officer may have the authority to approve elevated access permissions for individuals, but if done inappropriately, it could undermine your access management controls.
- System Error – the risk that automated, system controls break down without notice. More and more companies rely on automated system controls to maintain the security, availability, and integrity of their systems. However, if the configuration to enforce encryption is overridden in a system upgrade, you may lose a key data protection control if no one is alerted of the change.
- Human Error – the risk that your employees are improperly trained, have insufficient experience, or are prone to making mistakes. Your internal controls are only as strong as the humans that operate them, so if your system administrator does not understand the importance of disabling access for terminated employees within 24 hours, your access removal control will be rendered ineffective.
- Incorrect Judgment – the risk that you have misidentified controls to adequately mitigate the risk to your business or operating environment. Identifying adequate internal controls is more an art than a science, and you may realize the industry-leading vulnerability scanner is not suitable for your technology after you identify vulnerabilities that it missed.
How Do I Mitigate Against the Limitations of Internal Controls?
This is terrible news, right? What was the point of investing so much time and money into your SOC 1 or SOC 2 report if it’s inherently limited? Don’t despair. You can mitigate the risks of these inherent limitations by designing your internal control environment to include a variety of control types. Your internal controls should include a combination of manual controls and automated controls. You should establish both preventative controls and detective controls. To mitigate the risks we described above, consider the following:
- Collusion – in addition to a well established SDLC process that requires adequate change testing, approvals, and access controls, implement automated alerting of changes released to production to a broad audience.
- Management Override – the risk that certain individuals have the authority to authorize an exception to an internal control. For example, the Chief Information Security Officer may have the authority to approve elevated access permissions for individuals, but if done inappropriately, it could undermine your access management controls..
- System Error – implement automated monitoring and alerting on key configurations/controls.
- Human Error – establish performance review protocols that include an evaluation of your employees’ internal control responsibilities.
- Incorrect Judgment – conduct periodic risk assessments to re-evaluate your current internal controls against emerging threats, changes to your operating environment, evolving technologies, etc.
In summary, internal controls may have inherent limitations, but you can mitigate this risk. Absolute assurance over an internal control environment may not be achievable, but a good auditor can guide you through the process of developing an internal control environment that will give you the best chance for success. For more information, reference the following resources or reach out to Linford & Co. to discuss further.
- What Are Internal Controls? The 4 Main Types of Controls
- Establishing an Effective Internal Control Environment
- Control Objectives & Activities: What Are They & What’s Appropriate?
Maggie spent nearly 10 years in KPMG’s IT Advisory and Attestation practice before joining a financial technology company as the Risk and Compliance Director. She has overseen numerous SOC 1 / SOC 2 audits and other IT Compliance audits and has vast experience implementing risk management and IT compliance solutions. She is Certified in Risk and Information Systems Control (CRISC) and obtained a Bachelor of Science in Business Administration, Finance, from the University of Colorado at Boulder.