SOC 2 CC5: Common Criteria related to Control Activities

What are SOC 2 Control Activities (CC5)?

As the leader of an organization, the success of your business can depend on the structure of your controls and related activities. You might have a tremendous product or service to offer, but if you fail to identify risks and mitigate them with controls, your business may struggle to attract and keep customers. Section CC5 of a SOC 2 Assessment is when we start to get into the implementation of controls. With a SOC 2 Assessment, you are going through the process of risk identification, detecting gaps in your control structure, putting processes in place for workflows, etc. Now we are at the stage where SOC 2 addresses common criteria related to control activities. 

Section CC5.0 goes beyond where CC4.0 left off with the monitoring of control activities. This action on control activities is on the development and implementation of controls, rather than the monitoring. As you build out the control environment for your organization, you can rely on the Trust Services Criteria (TSC). You should also consider the AICPA offering of mapping to COBIT, NIST, and other frameworks.

When you begin to look at CC5.0 as part of SOC 2, you will find three sub-sections which we will get into in more detail. These subsections include CC5.1, CC5.2, as well as CC5.3. All these sub-sections revolve around the process of putting both business and technology controls in place. In addition, once they are in place, deploying them in a way where they are operating as you would expect. 

Controls Related to Mitigation of Risks

The first sub-section within the SOC 2 related to CC5.0 is section CC5.1, identifying controls as they relate to the mitigation of risks. Do you remember the prior section of SOC 2 where we laid out the process for a risk assessment? Now that we have done the risk assessment process, any of the risks identified now need controls for mitigation. 

You will want to work with your team leads as you go through this process to deploy controls that aim to mitigate the risks to an acceptable level. As a business leader, you must understand you can never get the risk to zero. There is always the chance of risk when running a business, but it is how you mitigate the risks, what you choose to accept as a risk, etc. 

How to Select Controls

You will want to select controls with a basis on the environment of the market you operate, as well as your operations and processes. If any of your processes are manual, you will want both detective and preventative controls within the process to minimize the risk of human error. Every control you select needs to be purposeful needs to address a particular risk and should fit within your business model.

Using Different Types of Controls

You never want to rely on one type of control. There are many control types you can put in place. For example, a reconciliation done after a bank deposit is a manual and detective control. This is a control or process you are anticipating doing after an action is complete, and you are trying to find issues with that action. It is detective as you are finding it out after the fact, beyond when the mistake occurs in the first place.

You want to rely on other types of controls, with preventative being the most ideal. With preventative control, you are trying to detect the problem before the processing takes place. Think back to that same basic example of bank reconciliation. A preventative control would check all the deposits for accuracy and completeness as they went into the bank so that the reconciliation executes in real-time as the process played out. 

Implement Controls Everywhere 

No one should be left out from levels of control. You need controls across your company from the entry-level individuals right up to the executives, yourself included. The important thing about controls, when they have an adequate design, is that they will segregate out duties that should not co-mingle. You will have executives who can approve payments for certain amounts of money. These same individuals, though, should not be able to initiate a payment in isolation as that should remain for someone else. This type of segregation and control implementation at multiple levels achieves risk mitigation goals. 

Controls Over Technology

The next sub-section is CC5.2 and it gets at controls over technology. With your technology controls, you want to have a firm understanding of where your business processes and technology processes co-mingle. Going back to the same basic bank reconciliation example, is there infrastructure and integrations that carry the data from the bank to your general ledger to support the reconciliation? This type of integration and technology process supports the business process.

Infrastructure and Access Rights

Controls need to be in place to support infrastructure as well as access rights. When you are working to design these controls, think back to your risk assessment and threat model processes. With infrastructure controls, you want to maintain accuracy and completeness in everything you execute. This means having monitoring controls in place, balancing controls, and more. 

The same goes for access rights to ensure that individuals can only see data and work on parts of your technology where they have a business need. Control design should always take the assumption of least privilege. What are the least rights this employee needs to effectively do their job? 

Building Controls Within the Policies and Procedures

Your policies and procedures documentation also requires you to embed controls. Narratives, as they are sometimes called, should detail out controls as you write the process. On top of writing out the controls, it should include detailing who is performing the controls and the timeliness of their execution. All this gets coverage in the final sub-section which is CC5.3.

Within your process documentation, detail who is doing control execution. What happens if personnel find issues with the control activities? What are the corrective action steps they should be taking? It is critical to detail all this out as part of your policies and procedures to ensure nothing misses. 

Put Subject Matter Experts in Control

You need subject matter experts who know what the controls are and how to carry them out within their responsibilities. If you assign the execution of controls and the monitoring of those controls to an entry-level person with no experience, you may never know if it was a success or failure. Knowledgeable folks in the control area need placement for execution. 

Finally, management needs to be proactive in how they periodically reassess and review policies and procedures. On at least an annual basis it is critical to re-look at the procedures and the controls within them for relevancy and update needs.

CC5 Summary

Much like CC4, this is another of the more difficult sections to write out exactly what you have to do in order to meet all of the CC5 requirements. Of course, we’ll summarize it as well and hope for the best:

  • Maintain a register of internal controls (both business process and technology related)
  • Update your internal controls based upon risk assessments, results of control monitoring and other inputs on a regular basis
  • Maintain policies and procedures that assist with the enforcement and execution of your controls
  • Review and update your policies and procedures at least annually
  • Ensure those tasked with performing controls have the appropriate level of expertise to do so.