SOC 2 CC1.1 requires that the organisation demonstrates a commitment to integrity and ethical values.
CC1.1 highlights the following points of focus:
Sets the Tone at the Top
Your board of directors and management should demonstrate the importance of integrity and ethical values to support the functioning of the system of internal control, whether this be through their directives, actions or conduct.
Establishes Standards of Conduct
Your organisation’s standards of conduct convey and define the expectations of the board of directors and senior management when it comes to integrity and ethical values. This should be understood throughout the organisation, as well as by service providers and business partners.
Assesses Adherence to Standards of Conduct
Processes must be in place to evaluate the performance of people and teams against the organisation’s standards of conduct.
Addresses Deviations in a Timely Manner
Any deviations from the entity’s expected standards of conduct should be identified and resolved quickly and consistently.
An additional point of focus specifically related to all engagements using the trust services criteria:
Considers Contractors and Vendor Employees in Demonstrating Its Commitment
When establishing standards of conduct, your management team and the board of directors should consider the use of contractors and vendor employees in the organisation’s processes. They should also evaluate adherence to those standards and address deviations quickly and consistently.
Your board of directors should demonstrate independence from management and exercise oversight of the development and operation of internal control.
CC1.2 highlights the following points of focus:
Determines Oversight Responsibilities
Your board of directors should recognise and accept its oversight responsibilities in line with your established requirements and expectations.
Applies Relevant Expertise
Your board of directors should define, maintain, and regularly evaluate the skills and expertise needed among its members to enable them to ask probing questions of senior management and take appropriate action.
To ensure objective evaluations and decision-making, your board of directors should have sufficient members who are independent from management.
Additional point of focus specifically related to all engagements using the trust services criteria:
Supplements Board Expertise
As needed, your board of directors should supplement its expertise relevant to security, availability, processing integrity, confidentiality, and privacy. This may be through the use of a subcommittee or consultants.
With board oversight, your management team should establish structures, reporting lines, and appropriate authorities and responsibilities.
CC1.3 highlights the following points of focus:
Takes Into Account All Structures of the Business
Management and the board of directors should consider the organisation’s multiple structures to support the achievement of objectives. This includes:
- Operating units
- Legal entities
- Geographic distribution
- Outsourced service providers
Generates Reporting Lines
Your management team should design and assess lines of reporting for each organisational structure to enable execution of authorities and responsibilities and flow of information.
Outlines, Assigns, and Controls Authorities and Responsibilities
Management and the board of directors should delegate authority, outline responsibilities, and use appropriate processes and technology to allocate responsibility and separate out duties at the various levels of the organisation.
Additional points of focus specifically related to all engagements using the trust services criteria:
Addresses Specific Requirements When Defining Authorities and Responsibilities
Your board of directors and management team should consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when identifying authorities and responsibilities.
Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities
Management and the board of directors should consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities and responsibilities.
Your organisation should demonstrate a commitment to attract, develop, and retain competent individuals in alignment with your objectives.
CC1.4 highlights the following points of focus:
Establishes Policies and Practices
Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
Evaluates Competence and Addresses Shortcomings
The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.
Attracts, Develops, and Retains Individuals
To achieve its objectives, your organisation should offer the mentoring and training needed to attract, develop, and retain capable personnel and outsourced service providers.
Plans and Prepares for Succession
Your senior management team and the board of directors should develop contingency plans for assignments of responsibility important for internal control.
Additional points of focus:
Considers the Background of Individuals
The organisation should consider the background of prospective and current employees, contractors, and vendors when determining whether to employ and retain them.
Considers the Technical Competency of Individuals
Your organisation should consider the technical competency of prospective and current employees, contractors, and vendors when determining whether to employ and retain them.
Provides Training to Maintain Technical Competencies
The business should provide training programmes to ensure skill sets and technical competency of current employees, contractors, and vendors are established and maintained.
Your organisation should hold individual employees accountable for their internal control responsibilities, in line with your objectives.
CC1.5 highlights the following points of focus:
Ensures Culpability Through Structures, Authorities, and Responsibilities
Your organisation’s board of directors and management team should establish the processes to convey and hold people responsible for performance of internal control responsibilities. They should also undertake remedial action if needed.
Creates Performance Measures and Incentives
The management team and board of directors should establish methods of measuring performance as well as incentives and rewards appropriate for responsibilities at all levels. This should reflect appropriate dimensions of performance and expected standards of conduct, and consider the success of short-term and long-term goals.
Evaluates Performance Measures and Incentives for Continuing Relevance
Your organisation’s management team and board of directors should align incentives and any rewards with the fulfillment of internal control obligations.
Considers Excessive Demands
The senior team should evaluate and adjust pressures associated with the achievement of objectives as they allocate responsibilities, develop performance measures, and assess performance.
Assesses Implementation and Rewards or Disciplines Individuals
Your board of directors and management team should assess performance of internal control duties, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action as needed.