Having the right controls in place is critical for an organization to protect its systems and safeguard its clients’ data. Identifying, designing, and implementing an appropriate set of controls is quite an accomplishment for most young companies. If you have implemented controls within your organization to maintain security, the next question to ask is: How do you know the controls in your company’s environment are being performed?
We have performed hundreds of SOC readiness assessments for organizations preparing for their first SOC 2 examinations. Over the years, we have seen security being integrated into the design of start-up systems and processes at earlier stages and to a greater degree. However, monitoring activities is the one area that is most often overlooked.
What are Monitoring Activities?
Monitoring activities are periodic or ongoing assessments performed by an organization to determine whether internal controls are present and functioning around their products or services. In other words, monitoring activities are the things you do to find out whether or not controls are being performed as intended.
The following is a case that I hope will help illustrate the difference between monitoring activities and other control activities.
ABC Corp. uses an application to deliver services to its clients. To safeguard the application, the ABC Corp. has implemented controls within the change management process to ensure that only authorized changes are made to the application. ABC Corp. has formally documented its change procedures that engineering personnel are required to follow. ABC Corp.’s change management process requires each change to be 1) authorized for development, 2) peer reviewed and approved, and 3) QA tested and approved before it can be deployed to production.
To make sure the change management process is consistently followed, ABC Corp. has an employee outside of the engineering department select a dozen changes performed during the year to check whether or not each change was authorized, peer-reviewed, QA tested, and approved prior to being implemented to the application. The results from this check are reported back to ABC Corp. management.
The first paragraph lists a number of control activities in ABC Corp.’s change management process. The second paragraph states how its management will be monitoring the control activities that are being performed consistently.
What is the Importance of Monitoring Activities?
So, why do you need to monitor control activities? Isn’t that why companies pay firms to come in and audit them? These are fair questions. Prior to the latest Trust Services Criteria, SOC 2 examinations did not include monitoring activities. The American Institute of Certified Public Accountants (AICPA) added monitoring activities to the SOC 2 criteria to re-enforce that each organization is responsible for ensuring the design and operation of controls are effective.
A meeting I once had with a CISO highlights the prevalent perspective and attitudes prior to the Trust Services Criteria being updated. We were kicking off their annual SOC 2 examination. This was not a small business as the organization had annual revenues between $4-5 billion. The CISO was excited to have us come in and assess their controls as they had made a number of improvements in the interim. I’ll never forget him saying, “I am so happy to have you guys back. I’m looking forward to finding out how we did this year!”
Today, external examinations of an entity’s internal controls should be a validation of what management has learned from their own monitoring activities rather than being the first exposure or an annual report card for management.
What are the Five Trust Services Criteria for SOC 2?
The Trust Services Criteria is split up into the following five areas:
Which of the preceding principles/criteria must always be included in a SOC 2 report? Security is the base criteria that must be included in the scope of any SOC 2 audit. If you want to have availability, processing integrity, confidentiality, or privacy included in a SOC 2 assessment, you will also need to include security because without adequate security you cannot ensure the criteria for the other four areas are met.
“The COSO Cube” – Image Source: COSO
What are the Monitoring Activities Criteria with the Trust Services Criteria (TSCs)?
So, where do monitoring activities fall in the SOC 2 criteria? Monitoring activities are a subsection of the Trust Services Criteria relevant to security or the SOC 2 common criteria. The monitoring activities of the Trust Services Criteria originate from the integrated framework for internal control, which was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Monitoring activities is one of the five components of internal control within the COSO’s framework. COSO principles 16 and 17 are the monitoring activities criteria. They are stated below (per COSO, as linked above).
- “COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
- “COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
As you can see, the criteria are worded broadly, and taken by themselves, they may be a little vague. The AICPA has provided points of focus that represent important characteristics of the criteria to help clarify the expectations. They are essentially examples of controls that could be employed to meet the criteria. An entity does not necessarily need to have a control for each point of focus, but should have controls that meet or address the requirements that they exemplify.
“COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
Listed below are the Points of Focus:
- “Considers a Mix of Ongoing and Separate Evaluations – Management includes a balance of ongoing and separate evaluations.
- Considers Rate of Change – Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.
- Establishes Baseline Understanding – The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.
- Uses Knowledgeable Personnel – Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.
- Integrates With Business Processes – Ongoing evaluations are built into the business processes and adjust to changing conditions.
- Adjusts Scope and Frequency – Management varies the scope and frequency of separate evaluations depending on risk.
- Objectively Evaluates – Separate evaluations are performed periodically to provide objective feedback.
- Considers Different Types of Ongoing and Separate Evaluations – Management uses a variety of ongoing and separate risk and control evaluations to determine whether internal controls are present and functioning. Depending on the entity’s objectives, such risk and control evaluations may include first- and second-line monitoring and control testing, internal audit assessments, compliance assessments, resilience assessments, vulnerability scans, security assessments, penetration testing, and third-party assessments.”
“COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Listed below are the Points of Focus:
- “Assesses Results – Management and the board of directors, as appropriate, assess the results of ongoing and separate evaluations.
- Communicates Deficiencies – Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
- Monitors Corrective Action – Management tracks whether deficiencies are remedied on a timely basis.”
How to Implement Monitoring Activities
There are a number of factors that management should consider when designing monitoring activities. You need to know the what, how, when, and who of monitoring.
What to Monitor
Management should use a risk-based approach to determine the extent that monitoring activities are needed. Management should assess the risks facing the organization. Management should prioritize monitoring those controls over activities that bring higher levels of inherent risk to the organization. For example, monitoring management’s periodic review of policies and procedures is typically less than monitoring the performance of the control activities within the process.
Remember that inherent risk rather than residual risk is calculated after considering controls because you want to be monitoring the controls that help reduce the greatest amount of risk first. For example, a transaction process may be considered less risky than patch management for servers; however, a transaction process typically has more inherent risk. So, you want to be monitoring those controls over transaction processing before patch management. It would be great if you could monitor everything, but it just is not feasible to do with limited resources. Please do not misunderstand, I am not suggesting that you don’t need to monitor patch management (you should), but it would be a lower priority than transactions.
How to Monitor
Once you have identified the priority areas, you can then determine what controls are the “key controls” in each process or area. While all controls should be performed, not all controls are key. Using the earlier example of ABC Corp.’s change management process, you may elect to monitor whether changes are peer-reviewed and tested while not monitoring the reviews of change procedures and the authorization of changes for development if you deemed the first two as the critical control points that prevent unauthorized changes from being deployed.
When you have prioritized process areas and identified the key controls within them, you are ready to determine how to monitor the control activities. You will likely need a variety of methods to monitor different types of controls.
You might consider monitoring tools for controls that are automated by or performed with the aid of technology. For example, hardware, network or cloud configurations can be continuously monitored through a number of solutions. An advantage of using continuous monitoring is that you can see exactly how everything is doing at any point in time and over a period of time. A disadvantage is that you will need to pay for most tools that offer these solutions.
Most controls that are performed manually will need a person to test them on a periodic basis. That will entail looking at documented evidence that a control was performed. For example, if all new hires are required to review and physically sign the employee handbook, you would need to periodically pick a sample of new hires and check to see that there is a signed handbook for each one.
When to Monitor
The frequency of monitoring activities is quite flexible depending on the priority and nature of the controls, risk related to the area, and the organization’s resources to do so. At a minimum, key controls should be assessed on an annual basis to meet SOC 2 requirements. However, your organization may elect to do one big audit once a year to check all key controls over a dedicated period (e.g., weeks, months, quarters). Another option would be to break them up into smaller audits that are performed monthly or quarterly to ultimately cover all controls once a year.
Who Should Monitor?
There is quite a bit of flexibility in who can perform monitoring activities, but there are two primary rules you need to abide by.
- A person cannot monitor or check their own work. Just like it is not a good idea to have a fox guard the hen house, you do not want someone monitoring who is incentivized to not promptly and accurately report errors or problems to management. If I am a software engineer, I probably should not be the one monitoring the change management process because there is pressure/incentive for me not to report issues that would reflect negatively on my performance or that of my friends. In such cases, I may tend to be more lenient and not report simple “mistakes” or “oversights” made to preserve my job.
- A person monitoring must be able to understand the process and evidence sufficiently well to assess it. The person monitoring must recognize and distinguish between what is expected and variances. Some will argue that this rule runs counter to the first. For example, how can a person check the change management process without being able to code? The answer is simple. The person monitoring change management does not need to check the quality and accuracy of the code developed for a change, but (in the case of ABC Corp.) they need to know where to look to see if a peer signed their approval after reviewing the code change or where QA documented their approval after testing the change.
I hope this helps you to understand the SOC 2 control activities criteria. We discussed what monitoring activities are, why monitoring is important, and how you can go about designing and implementing monitoring activities within your organization. If you have any questions about this post or about our SOC 1 and SOC 2 services, please feel free to contact us at Linford & Company and we will be happy to help in any way we can.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.