SOC 2 involves internal procedures for the company’s employees and doesn’t involve any board of directors involvement, right? Wrong. In this post, we’ll offer some insights into the ways in which a company’s board of directors should expect to be involved in the company’s SOC 2 efforts.
What is TSP Section 100?
A formal viewpoint on how boards of directors should view their role in SOC 2, is available in TSP Section 100 from the AICPA. This document describes (in great detail) how SOC 2 auditors are to evaluate and report on controls. If you’ve been a part of discussions where a management team is reflecting on the scope of an upcoming audit, you’ve likely heard of the five Trust Services Criteria:
- Processing Integrity
TSP Section 100 covers each of these in detail, and describes “common criteria” used for evaluating the effectiveness of the entity’s controls. It’s in that “common criteria” that the board of directors role is specifically described.
TSP 100 describes five common criteria:
- The control environment (CC1 series)
- Communication and information (CC2 series)
- Risk assessment (CC3 series)
- Monitoring of controls (CC4 series)
- Control activities related to the design and implementation of controls (CC5 series)
Although boards of directors might plausibly be involved in many aspects of the above common criteria, in this post we’ll focus just on the portions of the common criteria that explicitly mention the board of directors, leaving no ambiguity as to their desired involvement.
CC1 – The Control Environment
TSP 100 specifically mentions board of directors obligations most heavily in CC1 (the control environment). Here’s what TSP 100 says about board of directors involvement in that section.
|Criteria||Excerpts Describing the Board of Directors Role|
The entity demonstrates a commitment to integrity and ethical values.
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Outside of the board of directors mentions in CC1 (the control environment) here are the additional portions of the common criteria that specifically define a role for the board of directors:
- Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
- Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.
- Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
- Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
- Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors
- COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC 2 & Boards of Directors: Wrapping Up
When we set out to write this article, we initially intended to deeply dive into each of the board of directors mentions in TSP 100. However, we quickly realized that doing so would lead to quite a lengthy article — not our typical style. We’d love your feedback on what portions of board of directors involvement you’d like us to dive into more deeply — we’ll consider your requests for future articles.