SOC 2 Obligations for Board of Directors Members

SOC 2 involves internal procedures for the company's employees and doesn't involve any board of directors involvement, right? Wrong. In this post, we'll offer some insights into the ways in which a company's board of directors should expect to be involved in the company's SOC 2 efforts.

What is TSP Section 100?

A formal viewpoint on how boards of directors should view their role in SOC 2, is available in TSP Section 100 from the AICPA. This document describes (in great detail) how SOC 2 auditors are to evaluate and report on controls. If you've been a part of discussions where a management team is reflecting on the scope of an upcoming audit, you've likely heard of the five Trust Services Criteria:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

TSP Section 100 covers each of these in detail, and describes "common criteria" used for evaluating the effectiveness of the entity's controls.  It's in that "common criteria" that the board of directors role is specifically described.

Common Criteria

TSP 100 describes five common criteria:

  • The control environment (CC1 series)
  • Communication and information (CC2 series)
  • Risk assessment (CC3 series)
  • Monitoring of controls (CC4 series)
  • Control activities related to the design and implementation of controls (CC5 series)

Although boards of directors might plausibly be involved in many aspects of the above common criteria, in this post we'll focus just on the portions of the common criteria that explicitly mention the board of directors, leaving no ambiguity as to their desired involvement.

CC1 - The Control Environment

TSP 100 specifically mentions board of directors obligations most heavily in CC1 (the control environment).  Here's what TSP 100 says about board of directors involvement in that section.

 

Criteria Excerpts Describing the Board of Directors RoleCC1.1

The entity demonstrates a commitment to integrity and ethical values.

  • Sets the Tone at the Top — The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
  • Establishes Standards of Conduct — The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
  • Considers Contractors and Vendor Employees in Demonstrating Its Commitment — Management and the board of directors consider the use of contractors and vendor employees in its processes for establishing standards of conduct, evaluating adherence to those standards, and addressing deviations in a timely manner.

CC1.2

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

  • Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
  • Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
  • Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
  • Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.

CC1.3

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

  • Considers All Structures of the Entity — Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement
    of objectives.
  • Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization.
  • Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.
  • Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.

CC1.4

The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

  • Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
  • Plans and Prepares for Succession — Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.

CC1.5

The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

  • Enforces Accountability Through Structures, Authorities, and Responsibilities — Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary.
  • Establishes Performance Measures, Incentives, and Rewards — Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.
  • Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.

Beyond CC1

Outside of the board of directors mentions in CC1 (the control environment) here are the additional portions of the common criteria that specifically define a role for the board of directors:

  • Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
  • Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.
  • Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
  • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
  • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors
  • COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

SOC 2 & Boards of Directors: Wrapping Up

When we set out to write this article, we initially intended to deeply dive into each of the board of directors mentions in TSP 100. However, we quickly realized that doing so would lead to quite a lengthy article -- not our typical style. We'd love your feedback on what portions of board of directors involvement you'd like us to dive into more deeply -- we'll consider your requests for future articles.