SOC 2 Assessments: Common Criteria related to the Control Environment

What Is the SOC 2 Control Environment (CC1)?

Out of the Common Criteria, the Control Environment (also known as CC1), addresses several entity level controls that are expected to be in place across the Company. Much like the Common Criteria 2 through 5, CC1 is based upon COSO and borrows from its requirements to use as part of the requirement language.

AICPA is a member of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which created the components that align with the trust service criteria for SOC 2 assessments.

We have summarized the requirements of CC1 within this post to help point you in the right direction for addressing its requirements.

What are the requirements for SOC 2’s CC1?

A Code of Conduct

Companies need a Code of Conduct, typically included in an Employee Handbook, usually includes items such as the acceptable usage and confidentiality commitments required.  Employees should sign off on the document when onboarding as well as upon major update to acknowledge receipt and pledge to abide by it as a condition of employment.

Executive management and/or the Board of Directors should review the Code of Conduct annually and make any necessary revisions.

Clear Organizational Structure

Organizations should establish structures, reporting lines, and appropriate responsibility and authority to achieve organizational goals.  A Board of Directors, if in place, must be independent of management and should have oversight of internal controls for Company performance.

Such controls and governance should include succession planning and a commitment to attract, train, and retain competent employees in pursuit of company goals.

The evidence that is often produced for this requirement is a documented organization chart that is reviewed and updated on a regular basis.

Employee Onboarding

During the onboarding process, due diligence should be performed on candidates.  This includes background checks and training to make sure they meet the ethical value integral to the organization.

As part of the onboarding process, there should be a checklist to record onboarding activities undertaken. Activities will include documentation that an employee has received and reviewed all policies, such as ethics, sanctions, and other requirements for keeping data safe and secure. Employees will be given access to the programs, applications, and platforms they need as part of their job (More on that in CC6). 

Typical onboarding requirements regarding the Common Criteria (CC1) 4include, but are not limited to:

  • Background Check
  • Skills/Reference Check
  • Confidentiality Agreement
  • Acknowledgement of Employee Handbook and Security Policies
  • Security Awareness Training targeted at new employees

Employee Handbook

An Employee Handbook should be written and updated at least annually. It should be given to any new employees, and any updates must be communicated to all employees promptly. An acknowledgment form should be signed by the receiving employee to confirm he/she has read and understands the Handbook.

In addition to the typical information about employee timekeeping, payroll, benefits, and employment status, Employee Handbooks should include the following to comply with the SOC 2 requirements:

  • Employee Code of Conduct / Code of Ethics
  • Acceptable Usage
  • Protection of Data
  • Confidentiality Requirements
  • Whistleblower Procedures
  • Sanctions Policy
  • Any Other Company Specific Procedures

Contractor Considerations

Contractors should be held to the same standards that are required of employees, though, those standards are often implemented in a different manner. For example, the Company may require the employer of the contractor to perform background checks and obtain nondisclosure agreements from the contractor prior to their start of work.

You should consider the following items for onboarding and maintaining contractors – whether you perform them yourself or you obligate the contractor to perform the tasks, they will need to be done:

  • Background Check
  • Confidentiality Agreement
  • Security Awareness Training
  • Acknowledgement of receipt of and adherence to Security Policies

Job Descriptions

For an employee to understand his/her role within the Company, a formal written job description is needed to communicate the Company’s expectation for each employee. The job descriptions should be reviewed and updated on an annual basis. Additionally, the job description should also document other expectations of the employee – for example, if the employee is responsible for managing and the oversight of vendors, such a fact should be included within the description.

Employee Performance Reviews

Performance reviews should be conducted at least annually and are used to hold team members accountable for meeting the expectations of their job function (as documented in the job description). Additionally, employee performance reviews should be utilized to determine whether additional training is required for them to meet the needs of the business.

Oversight of Management

In every organization, ownership hires management to run the business and the ownership of the Company has responsibility to gain assurance that management is operating in accordance with ownership’s interests.

From a CC1 perspective, artifacts of the ownership’s oversight of management should be generated to confirm that management is furthering the directives of the ownership. This could be in the form of meeting minutes, review of management performance or other artifacts created from the oversight process.

Employee Compensation Adjustments

The Company should have a clear policy and procedure documenting the requirements for pay increases based upon objectives. Specifically, the objectives for pay adjustments should consider whether pressures are placed upon the employee to perform fraudulent actions to obtain the pay increase.

SOC 2’s CC1 Summary

Quite frankly, if you have a well-functioning HR department, then the requirements laid out within Common Criteria 1 (CC1) related to the Control Environment should be a breeze. When we work with clients on this set of Common Criteria, there are very few action items that must be worked on to bring it them in compliance with the SOC 2 requirements.

If you’ve got any questions regarding what is required to accomplish compliance with CC1, do not hesitate to contact us!