COSO 2013 was way ahead of its time. Given that, it’s even more interesting to note that it took until 2019 for the COSO 2013 Principles to be applied to SOC 2 audits. For those of us that have been in the vendor management world for many years, we have had a front row seat in watching the development and maturity of third-party risk management, what it means to us and what our regulatory agencies expect of us.
Just as some of the Trust Service Principle controls of the previous generation of SOC 2 reporting do, the incorporation of COSO 2013 with the Trust Service Criteria often overlap and build on each other. The benefit of this incorporation is the more granular look at existing controls and the addition of new, much needed, controls.
The Trust Services Criteria (TSC) are the following:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
5 Main Components of COSO 2013 Principles
Below, you’ll find a breakdown of the COSO 2013 principles and what we as vendor management professionals look for in the SOC 2 Report as we review to determine if these areas are covered. The 17 principles fall into 5 main components:
1. Control Environment
- Demonstrate commitment to integrity and ethical values
- Does your vendor have an established code of ethics?
- Are employees required to acknowledge it?
- Ensure the board exercises oversight responsibility
- Is the vendor’s board of directors independent of management?
- Are the members qualified and do they understand the business they’re responsible for governing?
- Do they meet on a regular basis?
- Establish structures, reporting lines, authorities and responsibilities
- Demonstrate commitment to a competent workforce
- Does the vendor conduct background screening on employees?
- Are employees required to acknowledge governing policies and participate in regular security training?
- Hold people accountable
- Does the vendor make governing policies available to employees?
- Are annual performance assessments conducted?
2. Risk Assessment
- Specify appropriate objectives
- Has the vendor established appropriate control objectives?
- Is there an enterprise risk management program in place?
- Is this program reviewed and updated at least annually?
- Has the vendor established a strategic plan and an information technology strategic plan?
- Identify and analyze risks
- Does the vendor conduct regular penetration testing and vulnerability assessments?
- Is this testing conducted by a third party?
- Are third-party providers assessed against vendor’s policy on applicable trust criteria?
- Evaluate fraud risks
- Is there an enterprise risk management program in place?
- Does the program consider potential for fraud in its risk assessments?
- Does the program consider various types of fraud?
- Identify and analyze changes
- Is this program reviewed and updated at least annually?
- Does the program consider changes in the external environment, the overall business model as well as changes in leadership and execution?
3. Control Objectives
- Select and develop control activities that mitigate risk
- Is there an enterprise risk management program in place?
- Is this program reviewed and updated at least annually?
- Does the vendor have an internal audit plan?
- Are findings reported to management and the board of directors?
- Does the vendor have established follow-up procedures for identified deficiencies or vulnerabilities?
- Select and develop technology controls
- Is the vendor’s management and personnel aware of their responsibilities based on the trust services criteria selected?
- Are policies reviewed and approved regularly?
- Is logical access based on roles and responsibilities?
- Deploy control activities through policies and procedures
- Does the vendor maintain an incident response program?
- Are policies reviewed and approved regularly?
4. Information and Communication
- Use relevant, quality information to support the internal control function
- Does the vendor’s management meet regularly to discuss security and confidentiality requirements are being met?
- Are policies reviewed and approved regularly?
- Does the vendor conduct regular security assessments?
- Communicate internal control information internally
- Is the vendor’s management and personnel aware of their responsibilities based on the trust services criteria selected?
- Are policies reviewed and approved regularly?
- Does the board of directors maintain independence and review the actions of management and operational staff?
- Has the vendor established procedures to document, log and remediate identified vulnerabilities and incidents?
- Communicate internal control information externally
- Does the vendor use an ethics hotline for reporting?
- Is there a change notification process used to communicate changes to external parties?
- Does the vendor maintain formal contracts with third-party vendors and are these relationships monitored?
- Has the vendor established procedures to document, log and remediate incidents?
5. Monitoring
- Perform ongoing or periodic evaluations of internal controls – or a combination of the two
- Does the vendor conduct regular security assessments?
- Are they performed by a third party?
- Does the vendor have defined equipment build lists?
- Communicate internal control deficiencies
- Does the vendor have established follow-up procedures for identified deficiencies or vulnerabilities?
- Are these findings reported to management and to the board of directors?
These are the types of questions you should be asking yourself and critically thinking about as you review a vendor’s SOC 2 audit report. It’ll help to see the big picture and if their controls in place are enough and effective.
Do you know the difference between SOC 1, 2 and 3 reports? Download the infographic.