In this installment of McKonly & Asbury’s ongoing series of articles focused on System and Organization Controls (SOC) engagements, we will focus our discussion on two of the most frequent areas of concern when working alongside a small service organization in their pre-assessment process for a SOC 2 or a SOC 3 engagement. While many small (defined by employee headcount, not by revenue) and less-complex organizations have very sophisticated internal controls and can easily identify and document those controls in a way to address the relevant trust services criteria, size does matter and has a significant impact on two particular areas of evaluation.
The first stumbling block that comes up is how a small organization can address Trust Services Criterion CC1.2 The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. (If you need further details on what a Trust Services Criteria is, or what CC1.2 means, please refer to a previous article and webinar – this fundamental detail is important, but outside the scope of this article). The obvious question that gets asked on virtually every SOC 2 pre-assessment for a smaller organization is this: “We don’t have a Board of Directors – do we have to form one just for this? Or will we “fail” meeting this Criterion?”
The AICPA has issued guidance specific to this question and the answer is clear; you do NOT need to have a formal board of directors to meet this criterion, but you DO need to have controls and oversight in place that would achieve the outcome that is sought. Specifically, the Trust Services Criteria defines a board of directors as “Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.”
Board of Director Oversight
As you can see, this definition recognizes that smaller, less complex businesses can fulfill the oversight role of a board of directors with a heavily involved owner, group of owners or executive management team. These active and involved leaders may have far greater personal oversight over organizational structure operations; the ability to affect ethical values; and the ability to attract, retain, and hold accountable service organization personnel. They are also likely to provide adequate oversight of internal controls and to mitigate risks arising from the lack of segregation of duties that often exists in such organizations. The important part of the equation is not having a formal board of directors – it is having an active individual or team that takes ownership of and interest in the accountability of the team.
Segregation of Duties
The second area of difficulty in a smaller and less complex organization is the ability to have truly effective segregation of duties. Segregation of duties is applicable to many of the Trust Services Criteria and is an important component of a strong internal control environment. Unfortunately, the desired level of separation of roles is often difficult if not impossible to achieve in a small organization. As with the board of director’s topic above, the answer is not to create something that isn’t there (i.e. hire more heads just to achieve better segregation of duties). The answer is to design secondary controls that are both preventative AND detective such that you can function with less-than-perfect segregation of duties and know that you can still maintain a strong overall environment. These additional controls may be system-driven, they may be regular “internal audit” type activities, or they may require more hands-on reviews by an active owner group. But to be clear – a small organization without the ability to have clearly defined best-of-class segregation of duties can, with a little work, have a control environment that will easily achieve the company’s objectives with regards to the applicable Trust Services Criteria.
If you are contemplating the need for a SOC report to provide to your customers, we strongly encourage you to start the process before it becomes a “term of engagement” for your customers. As a small and less complex entity, it’s far more productive to take your time and work out the details of addressing the Trust Services Criteria, particularly the points addressed in this article, if you aren’t rushing to get it done to meet a customer need. If you’d like to discuss how to take the initial steps on pre-assessment, please reach out to either David Hammarberg at email@example.com or Michael Hoffner at firstname.lastname@example.org. We’d love the opportunity to help you take the first steps in this important journey.
April 29 Webinar: Top SOC 2 Compliance Questions Answered
In case you missed it, McKonly & Asbury’s next webinar is taking place on Thursday, April 29 at 2pm and will provide answers to typical SOC 2 questions that we frequently receive from clients throughout the SOC reporting process. During this webinar, our presenters will answer a variety of questions, providing an understanding around:
- What is Scope?
- What is the difference between vendors vs. sub-service organizations?
- What part does a vendor or sub-service organization’s SOC 2 play in your SOC 2 audit?
You can learn more and register by clicking here.