SOC 2 and the Control Environment: Understanding the Criteria

When contemplating or preparing for a SOC 2 examination, the initial effort is generally focused on implementing information technology (IT) controls and processes over infrastructure and software, which are core to the system being addressed by the SOC 2 examination. While this is a significant portion of the SOC 2, many organizations are surprised to learn that there are several trust services criteria that need to be addressed that are not IT-focused, or specifically related to infrastructure resources. For example, how does the entity demonstrate a commitment to integrity and ethical values? Or how does the entity identify and address risk?

An area that often requires additional effort in preparing for a SOC 2 is the control environment. This article will focus on the control environment criteria and provide information on the requirements related to a SOC 2, and how those requirements can be fulfilled.

What is the Control Environment?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines the control environment as the set of standards, processes, and structure that provides the basis for carrying out internal control across the organization. It includes the “tone at the top” where management reinforces the importance of internal controls and establishes expected behavior and conduct through company policies and procedures. Per the COSO Internal Control – Integrated Framework Executive Summary:

“The control environment comprises the following:

• The integrity and ethical values of the organization
• The parameters enabling the board of directors to carry out its governance oversight responsibilities
• The organizational structure and assignment of authority and responsibility
• The process for attracting, developing, and retaining competent individuals
• The rigor around performance measures, incentives, and rewards to drive accountability for performance.”

 

Why is the Control Environment Evaluated in a SOC 2 Examination?

First, it is a requirement set forth within the trust services criteria. COSO’s 2013 Internal Control-Integrated Framework (Framework) includes five components that are required to achieve the stated objectives within the Framework. The five components are as follows:

• Control environment
• Risk assessment
• Control activities
• Information & communication
• Monitoring activities

The Framework also includes 17 principles across those components, and through the application of the principles, an entity can achieve effective internal control. The trust services criteria align with the 17 principles from the COSO Framework, and as such, are evaluated as part of a SOC 2 examination. Furthermore, these principles constitute part of the common criteria evaluated in a SOC 2 examination, and as such, are included in every SOC 2 report regardless of the selected trust services categories (security, availability, confidentiality, process integrity, and privacy).

Second, as noted in the previous section, the control environment provides the basis for carrying out internal controls across the organization. So, while not always directly correlated to a specific application, it is an important element in considering the internal control system in place at the entity.

 

What are the Control Environment Criteria for a SOC 2?

As mentioned previously, the 17 principles from the COSO Framework are aligned with the trust services criteria. The first five AICPA trust services criteria relate to the control environment and are as follows:

• “CC1.1/COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
• CC1.2/COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
• CC1.3/COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
• CC1.4/COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
• CC1.5/COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”

 

What Controls are Needed to Address the Control Environment Criteria for a SOC 2?

Within each principle or common criteria, there are points of focus that provide important considerations for the criteria. The points of focus can be used to guide and assist management when designing, implementing, and operating controls. However, not all points of focus are suitable or relevant to the entity and can be customized as needed. Moreover, a SOC 2 examination does not assess whether each point of focus was addressed. Judgment is used to determine which points of focus are relevant and needed to address the related criteria for the entity.

While there will be differences between organizations, there are some standard processes that are typically included to address the criteria related to the control environment. A sample of questions noted below can help management begin to evaluate the entity’s readiness to meet the criteria for the control environment. Depending on the maturity of the organization, implementing controls to satisfy these criteria can require a significant amount of effort in preparation for a SOC 2 examination. The good news is that many of these controls and procedures are best practices and are not solely implemented to complete a SOC 2 requirement.

Integrity and Ethical Values

• Has management set expectations and established standards of conduct?
• Are these formally documented (e.g., employee handbook or code of conduct), and how are employees made aware of these standards?

Board of Directors

• Do you have a board of directors? If not, is there another governance committee(s) that provides oversight of the organization?
• Does the board of directors have sufficient members independent from management, and is it composed of individuals with the appropriate skills and expertise to provide oversight of the organization?
• Does the board of directors meet on a regular basis and are minutes kept and archived?

Organizational Structures, Reporting Lines, and Authority

• Has an organizational chart been created which defines teams and reporting relationships?
• Have specific responsibilities for security been assigned?
• Have job descriptions been formally documented to communicate responsibilities to employees?

Attract, Develop, and Retain Competent Individuals

• Have formal HR policies and hiring practices been created that include the evaluation of candidates, performance of background checks, and requirements for employee agreements and acknowledgments?
• Are formal trainings provided on a periodic basis, particularly around security responsibilities (i.e. security awareness training)?

Holding Individuals Accountable

• Are performance evaluations being performed?
• Is there a mechanism in place to provide feedback (and discipline) to employees on a periodic basis?

Summary

The control environment is often an area where organizations may need additional work performed in preparation for a SOC 2 examination, since it primarily deals with controls that are not directly tied to the infrastructure and software related to the system. However, as the trust services criteria related to the control environment are included in all SOC 2 examinations, it is important for entities to understand and evaluate their controls and procedures related to the control environment.

Linford & Company has helped many new clients identify gaps in controls and procedures relevant to the trust services criteria and prepare for SOC 2 examinations. These services are available to all clients as part of the readiness assessment.

If you would like assistance for your upcoming attestation, or would like to learn more about our many audit services, please contact us.