Adopting to the ever-changing business landscape is a bit easier when the standards, guidelines, regulations, and controls adapt at scale. Since the first iteration of an Internal Control-Integrated Framework was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992, the standard for internal controls has been changed, revised, and added to multiple times.
The current Internal Control-Integrated Framework, COSO 2013, encompasses a broader range of risk management strategies. In addition, the new framework addresses the importance of implementing controls to manage new risks presented within an IT environment and evaluate business processes that may be vulnerable to significant cybersecurity risks.
A service organization controls (SOC) report evaluates the internal controls of an Outsource Service Provider (OSP), using trust services principles and criteria.
With the increase in cloud data usage and companies outsourcing other duties, it seemed a natural fit existed between the COSO principles and the Trust Services Principles and Criteria (TSPC). The new structure works to strengthen the existing trust criteria by weaving the criteria into the internationally accepted COSO framework.
The following discussion covers specifically COSO objectives within SOC 2 reporting.
What are the COSO Objectives?
The Internal Control-Integrated Framework is widely accepted as the go-to guide for setting up an effective internal control system. The framework consists of five components and 17 principles meant to aid in the achievement of an entity’s objectives and risk mitigation in three categories:
- Operational objectives
- Reporting objectives
- Compliance objectives
Together, the five components and 17 principles provide the foundation for an efficient internal control system to guide business processes toward operating effectiveness.
What are the COSO Principles?
COSO’s 17 principles specifically outline what is needed to effectively implement the five components—control environment, risk assessment, control activities, information and communication, and monitoring activities—for effective internal control.
Control Environment
- Principle 1: From the board of directors and management down to all staff, the organization prioritizes integrity and ethical values.
- Principle 2: The board of directors, operating independently of management, oversees the institution and performance of internal controls.
- Principle 3: Management pursues business objectives by assigning appropriate authorities and responsibilities and establishing a set organizational structure and reporting lines.
- Principle 4: Displays a commitment to hire and retain a competent workforce.
- Principle 5: All personnel are held accountable for upholding internal controls.
Risk Assessment
- Principle 6: Clear, definable objectives are set so the organization can identify and assess risks related to those objectives.
- Principle 7: Risks to company-wide objectives are identified and analyzed, then guidelines are created to manage those risks.
- Principle 8: Pointed consideration is given to the identification of fraud risks.
- Principle 9: The organization practices change management.
Control Activities
- Principle 10: Specific activities are implemented to address operational objectives and mitigate risks.
- Principle 11: Control activities designed to prevent fraud and reduce risk within technology systems are created.
- Principle 12: Control activities are outlined and explained through established policies and procedures.
Information and Communication
- Principle 13: To support the correct implementation of internal quality controls, the organization dispenses quality, relevant information.
- Principle 14: Internet control objectives and responsibilities are effectively communicated internally.
- Principle 15: Internal control objectives and responsibilities affecting external business partners, vendors, and other parties are communicated effectively.
Monitoring Activities
- Principle 16: Ongoing and spot-check evaluations are performed to determine the presence and function of internal controls.
- Principle 17: the board of directors and management receive timely communication regarding any deficiencies in internal control.
What are the SOC 2 Trust Criteria?
A SOC 2 report provides user entities (the organization looking for outsourcing) an inside look into an OSP’s internal controls over customer data and cybersecurity.
Aligning COSO objectives within SOC 2 reports requires auditors to examine the application of the COSO framework by an OSP. To create a more seamless transition, the American Institute of Certified Public Accountants (AICPA) made a few simple changes and adaptations:
- To avoid confusion with the already-established COSO principles, AICPA changed the name from Trust Services Principles and Criteria (TSP) to Trust Services Criteria (TSC)
- The TSC retain their original Trust Services com[ponenets in their original order. These are referred to as common criteria (CC):
- CC1 Series: Control environment
- CC2 Series: Communication and information
- CC3 Series: Risk assessment
- CC4 Series: Monitoring of controls
- CC5 Series: Control activities related to the design and implementation of controls
- Again, to avoid confusion between the frameworks, the trust services criteria specific to implementing internal controls over an IT infrastructure are now termed “trust service categories.”
There are five trust service categories defined by the AICPA:
Security
“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.”
Availability
“Information and systems are available for operation and use to meet the entity’s objectives.”
Processing Integrity
“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”
Confidentiality
“Information designated as confidential is protected to meet the entity’s objectives.”
Privacy
“Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”
Are There Additional Trust Principles?
COSO objectives with SOC 2 guidelines do not include dealing specifically with cybersecurity and data risks. TSC added four additional criteria to address this. The new criteria serve to further expand COSO’s 12th Principle.
COSO Principle 12: “The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.”
The supplemental criteria for SOC 2 reporting include:
Logical and Physical Access Controls: Controls designed to govern logical and physical access, prevent unauthorized access, and control how access is provided and removed.
System Operations: Controls specific to the management of systems that are meant to detect logical and physical security breaches and mitigate process deviations.
Change Management: Controls that identify the need for changes to technology systems and how those changes are made, using an established change management process; controls preventing unauthorized changes.
Risk Mitigation: Controls to identify areas of potential risk regarding business partners, outside vendors, and business disruptions, and the controls created to mitigate those identified risks.
The Benefit of COSO Objectives within SOC 2 Examinations
More companies use OSPs for responsibilities like payroll, data storage, SaaS and web hosting. The framework integration requires auditors to include the COSO 2013 framework and evaluate the internal control structure of the OSPs in addition to the already established trust service criteria for SOC reporting.
The new framework improves security measures established by the TSC, strengthening the overall risk management capabilities of an organization.
Relationships with OSPs can directly impact internal controls. To protect the interests of their stakeholders, organizations are requiring any OSP they do business with to provide SOC 1 and SOC 2 reports to ensure their own internal control system addresses the new potential risks from using an OSP.
An OSP possessing a SOC 2 certification has a distinct competitive advantage because they can provide peace of mind to potential new clients.
Are you in the process of preparing for SOC 1 or SOC 2 certification? If integrating COSO objectives with SOC 2 reporting seems daunting, let ZenGRC help you automate the process.