The document is a checklist for a SOC 2 Type 2 audit. It contains controls, control activities, and test procedures related to assessing an organization's control environment, risk assessment, communication and information processes. Some key points:
- The organization must demonstrate commitment to integrity and ethical values through policies like a code of conduct and enforcing disciplinary actions.
- Risks are identified through annual assessments and risks are analyzed by evaluating likelihood and impact. Fraud potential is also considered.
- Internal communication ensures employees are informed of policies and responsibilities. External communication covers commitments to customers, vendors, and during system changes.
- Quality information is obtained through reviews, scans, and ensuring accurate descriptions of services are available to users
2. www.infosectrain.com
CC 1.0 Control Environment
CC1.1: Demonstrates Commitment to Integrity & Ethical Values
Control Activity Specified by Organization
Control
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
Test Applied by Auditor Test Results
Contractor agreements must include a Code of Business Conduct
and a reference to the corporate Code of Conduct, and they must
be posted on the corporate intranet for all employees to access.
CC1.1.1
Examine the code of conduct for business and ensure that it is
accessible via the corporate intranet.
At the time of hire, the corporation requires new hires to
acknowledge a code of conduct. Disciplinary actions are taken
against employees who break the code of conduct in accordance
with the policy.
CC1.1.2
Examine the code of conduct for business and ensure that there
are recorded enforcement processes that included disciplinary
action.
The business mandates that prospective hires undergo
background checks.
CC1.1.3
Examine and verify the documented information on employ
background is accurate.
At the time of hiring, the business demands that employees &
contractors sign a confidentiality agreement.
CC1.1.4
Examine and ensure that employees and contractors sign a
confidentiality agreement at the time of engagement.
Performance reviews for direct reports must be completed by
firm management at least once a year.
CC1.1.5
Examine and ensure that company performs evaluation for all
employees annually.
CC 1.0 Control Environment
3. www.infosectrain.com
CC1.2: Exercises Oversight Responsibility
Control Activity Specified by Organization
Control
COSO Principle 2: The board of directors demonstrates independence from management &
exercises oversight of the development and performance of internal control.
Test Applied by Auditor Test Results
All corporate policies are reviewed and approved yearly by the
board of directors of the firm or a pertinent subcommittee, such
as senior management.
CC1.2.1
Examine the corporate rules and ensure that they have undergone
evaluation and senior management approval.
The board members of the organisation are qualified to oversee
management's capacity to create, put into place, and run
information security controls.
CC1.2.2
Examine and ensure that the information security controls have
been created, implemented, reviewed and approved by proper
authorities.
The board of directors of the corporation holds formal meetings at
least once a year and keeps minutes of those meetings. Directors
who are not affiliated with the company are on the board.
CC1.2.3
Ensure independent directors were present, proper meeting
minutes were taken, and observe board sessions were held at least
twice a year.
The Organisational Chart for all personnel is reviewed and
approved annually by the entity's Senior Management.
CC1.2.4
Examine and ensure that each employee's organisational chart has
undergone evaluation and senior management's approval.
The management of the organisation exhibits a dedication to
morality and ethical behaviour.
CC1.2.5
Examine the ethical management document and ensure that the
company management demonstrates a commitment to integrity
and ethical values.
CC 1.0 Control Environment
4. www.infosectrain.com
CC1.3: Establishes Structure, Authority, and Responsibility
Control Activity Specified by Organization
Control
COSO Principle 3: Management establishes, with board oversight, structures, reporting
lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Test Applied by Auditor Test Results
To oversee the development and application of information
security controls, the firm management established clear roles
and responsibilities.
CC1.3.1
Examine and ensure that the management of the organisation has
created clear roles and responsibilities to oversee the development
and application of information security controls.
The board of directors of the corporation has a written charter
outlining its internal control monitoring obligations.
CC1.3.2
Examine and ensure that the roles and responsibilities of the board
of directors are outlined in the bylaws.
The business keeps an organisational layout that details the
hierarchical framework and reporting structure.
CC1.3.3
Examine and ensure that the most recent organisation chart for the
company accurately reflects the hierarchical framework and
reporting structure.
To improve the operational performance of employees within the
organisation; the business maintains job descriptions for
client-facing IT and engineering positions.
CC1.3.4
Examine and ensure that the job description improves the
operational performance of employees.
Roles and Responsibilities policy formally allocate roles and
responsibilities for the design, development, implementation,
operation, maintenance, and monitoring of information security
controls.
CC1.3.5
Examine the Roles and Responsibilities policy for the design,
implementation, operation, maintenance, and monitoring of
information security measures.
CC 1.0 Control Environment
5. www.infosectrain.com
CC1.4: Demonstrates Commitment to Competence
Control Activity Specified by Organization
Control
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
Test Applied by Auditor Test Results
The businesses must make sure that new personnel have
undergone a thorough evaluation of their abilities to perform the
duties of their positions.
CC1.4.1
Examine and ensure the new hires' competence assessment.
The business runs background checks on new hires.
CC1.4.2
Examine the onboarding process and make sure that new hires'
backgrounds are checked.
Performance reviews for direct reports must be completed by firm
management at least once a year.
CC1.4.3
Examine the performance evaluation and performance review policy
to confirm that annual performance evaluations are carried out.
Roles and Responsibilities policy formally allocate roles and
responsibilities for the design, development, implementation,
operation, maintenance, and monitoring of information security
controls.
CC1.4.4
Examine the Roles and Responsibilities policy for the design,
implementation, operation, maintenance, and monitoring of
information security measures.
Employees must undergo security awareness training within 30
days of hire and at least once a year after that.
CC1.4.5
Examine the Information Security Policy and ensure that
employees undergo security training at the time of hire and on an
annual basis after that.
CC 1.0 Control Environment
6. www.infosectrain.com
CC1.5: Enforces Accountability
Control Activity Specified by Organization
Control
COSO Principle 5: The entity holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.
Test Applied by Auditor Test Results
All personnel in client-facing, IT, engineering, and information
security professions are required to undergo quarterly evaluations
addressing their job responsibilities.
CC1.5.1
Examine and ensure that job responsibilities are routinely
evaluated.
At the time of hire, the corporation requires new hires to
acknowledge a code of conduct. Disciplinary actions are taken
against employees who break the code of conduct in accordance
with the policy.
CC1.5.2
Examine the code of conduct for business and ensure that there
are recorded enforcement processes that included disciplinary
action.
Business has implemented information security awareness training,
and the firm intranet makes the training resources accessible to all
employees.
CC1.5.3
Examine the data on information security awareness and ensure that
all employees have access to the contents via the business intranet.
The organisation mandates that all staff members complete
information security awareness training once upon hire as well as
once a year for all employees.
CC1.5.4
Examine the training records for information security awareness.
Every year, the business mandates that all employees review and
acknowledge the company's policies.
CC1.5.5
Examine the firm policies to ensure that all employees have read
and agreed to them.
CC 1.0 Control Environment
7. www.infosectrain.com
CC2.0 Communication and Information
CC2.1: Quality Information
Control Activity Specified by Organization
Control
COSO Principle 13: The entity obtains or generates and uses relevant, quality information
to support the functioning of internal control.
Test Applied by Auditor Test Results
The information generated by the organization's systems
undergoes assessment and analysis to identify its effects on the
operation of internal controls.
CC2.1.1
Examine the operation of internal controls, ensuring they have been
reviewed and evaluated within the system.
Corporation conducts annual control self-assessments to confirm
effective control presence and operation, implementing corrective
actions based on findings.
CC2.1.2
Examine yearly control self-assessments to ensure that crucial
policies are annually reviewed for the effectiveness of control
presence and operation. Additionally, implement necessary
corrective actions based on identified findings.
The organization employs a log management tool to identify events
that could potentially compromise the corporation's ability to
accomplish its security goals.
CC2.1.3
Examine that the log management tool effectively identifies events
that could impact security objectives.
To ensure customer accessibility, the corporation prominently
presents up-to-date information regarding its services on its
website.
CC2.1.4
Examine whether the corporation effectively presents current
information about its services on its website to ensure customer
accessibility.
Corporation conducts host-based vulnerability scans on its
external-facing systems quarterly. These scans identify critical
and high vulnerabilities, which are then closely monitored and
promptly addressed for remediation.
CC2.1.5
Examine quarterly host-based vulnerability scans to detect critical
and high vulnerabilities and then closely monitor and take proactive
measures to address these vulnerabilities, ensuring effective
mitigation.
CC2.0 Communication and Information
8. www.infosectrain.com
CC2.2: Internal Communication for Effective Control
Control Activity Specified by Organization
Control
COSO Principle 14: The entity internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.
Test Applied by Auditor Test Results
The Code of Business Conduct, established by the company, contains
guidelines for appropriate conduct. All employees have access to this
code via the company intranet, ensuring everyone knows it's ethical
guidelines.
CC2.2.1
Examine established behavioral standards in the Code of Business
Conduct and verify their accessibility to all staff through the company's
intranet platform.
The organization's management has established specific roles and
responsibilities to ensure information security controls are designed and
implemented.
CC2.2.2
Examine security policies and ensure that organization management has
designated roles and responsibilities for supervising the design and
implementation of information security controls.
To understand what the company offers and how it can meet the needs
of its various audiences, organization provides comprehensive
descriptions of its products and services, catering to its internal
employees and external users such as customers, partners, and
stakeholders.
CC2.2.3
Review documents to ensure that the company's comprehensive
descriptions of its goods and services for internal and external users are
clear and aligned with needs.
The firm maintains documented information security policies and
procedures subject to an annual review, ensuring their continued
relevance and effectiveness in safeguarding sensitive information and
assets.
CC2.2.4
Examine the company's information security policies and procedures,
confirming their documentation, yearly review, and acknowledgment by
new employees.
The company ensures that authorized internal users are promptly
informed of system changes.
CC2.2.5
Examine internal communication practices and ensure that the company
effectively informs authorized internal users about system updates.
CC2.0 Communication and Information
9. www.infosectrain.com
CC2.3: Communication with External Parties
Control Activity Specified by Organization
Control
COSO Principle 15: The entity communicates with external parties regarding matters affecting
the functioning of internal control.
Test Applied by Auditor Test Results
The firm implements an external-facing support system that enables
users to report information about system failures, incidents,
concerns, and other complaints to the relevant personnel.
CC2.3.1
Examine the CodeSee Website and ensure a support email is
available for users to report system issues and references to the
right personnel.
The company informs customers about its security commitments
through agreements known as Master Service Agreements (MSA) or
Terms of Service (TOS).
CC2.3.2
Examine the Master Service Agreement to ensure that customers
know the company's commitments and promises.
The company establishes contractual agreements with vendors and
affiliated third parties, incorporating confidentiality and privacy
commitments relevant to the firm.
CC2.3.3
Examine a sample of a Signed Non-Disclosure Agreement to verify
the presence of confidentiality and privacy agreements with
contractors and third parties.
The company comprehensively describes its products and services
to its internal and external users.
CC2.3.4
Examine the CodeSee Website and verify the presence of a product
description intended for communication to both internal and
external users.
The company informs customers about significant system changes
that could impact their processing operations.
CC2.3.5
Examine the company website to ensure that customers are
informed about significant system changes that could affect their
processing activities.
CC2.0 Communication and Information
10. www.infosectrain.com
CC3.0 Risk Assessment
CC3.1: Specification of Objectives
Control Activity Specified by Organization
Control
COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives.
Test Applied by Auditor Test Results
The company maintains a documented risk management
program, which guides identifying potential threats, assessing the
significance of associated risks, and outlining mitigation
strategies.
CC3.1.1
Examine the Risk Assessment Policy, find documented steps for
identifying and managing risks, and observe in Secureframe a
maintained list of risks with assigned ratings and tracked actions
for improvement.
The company performs annual risk assessments, identifying
threats and changes to service commitments and evaluating
risks, including the potential for fraud and its impact on
objectives.
CC3.1.2
Examine the documentation containing records of the annual
formal risk assessment exercise.
The company has an established vendor management program
comprising components such as critical third-party vendor
inventory, vendor security and privacy requirements, and annual
reviews of critical third-party vendors.
CC3.1.3
Examine Secureframe for vendor list with ratings, security, privacy,
and reviews; also examined Vendor Management Policy
encompassing contract reviews, annual assessments, risk
evaluation, and due diligence procedures.
The company maintains a documented Business
Continuity/Disaster Recovery (BC/DR) plan and conducts annual
testing of the plan's effectiveness.
CC3.1.4
Examine the company's BC/DR plan to ensure its presence,
approval, and yearly testing.
CC3.0 Risk Assessment
11. www.infosectrain.com
CC3.2: Risk Identification and Analysis
Control Activity Specified by Organization
Control
COSO Principle 7: The entity identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be managed.
Test Applied by Auditor Test Results
The firm performs an annual formal risk assessment, outlined in the
Risk Assessment and Management Policy, to identify potential threats
that could affect its systems' security commitments and requirements.
CC3.2.1
Examine records documenting the annual formal risk assessment
exercise.
Each risk undergoes assessment and receives a risk score considering
its likelihood of occurrence and impact on the security, availability, and
confidentiality of the company's platform. Risks are then associated
with mitigating factors that address relevant aspects of the risk.
CC3.2.2
Examine how each risk is evaluated based on likelihood and impact on
platform security, availability, and confidentiality and ensure that risks
are linked to actions that reduce their effects.
During onboarding, the firm mandates new staff members to review and
acknowledge company policies, ensuring an understanding of
responsibilities and commitment to compliance.
CC3.2.3
Examine the company's policies and confirm that new staff members have
duly reviewed and acknowledged these policies, ensuring their knowledge
and commitment.
The organization establishes a documented risk management program
that encompasses instructions for identifying potential threats,
assessing the significance of risks related to these threats, and
formulating strategies to mitigate these risks.
CC3.2.4
Examine Risk Assessment and Treatment Policy for documented risk
management processes and verify Secureframe the existence of a
maintained risk registry with identified vulnerabilities, severity ratings,
and tracked remediation actions.
The company implements a vendor management program that includes
maintaining a list of critical third-party vendors, setting security & privacy
requirements for vendors, & performing annual reviews of these vendors.
CC3.2.5
Examine the company's vendor management program to ensure it has a
process for documenting and overseeing vendor relationships.
CC3.0 Risk Assessment
12. www.infosectrain.com
CC3.3: Fraud Consideration in Risk Assessment
Control Activity Specified by Organization
Control
COSO Principle 8: The entity considers the potential for fraud in assessing risks to the
achievement of objectives.
Test Applied by Auditor Test Results
The company performs annual risk assessments that involve
identifying threats, changes to service commitments, formal risk
assessments, and considering fraud's potential impact on
objectives.
CC3.3.1
Examine the company's risk assessment documentation,
confirming the yearly format of assessments, identifying threats
and commitment modifications, formal risk assessment, and
considering the impact of fraud on objectives.
The company establishes a documented risk management
program that provides instructions for identifying potential
threats, evaluating the significance of risks linked to those
threats, and developing strategies to mitigate those risks.
CC3.3.2
Examine the risk management program to ensure it offers
guidance for identifying potential threats and suggesting strategies
to mitigate these threats.
CC3.0 Risk Assessment
13. www.infosectrain.com
CC3.4: Identifying Changes
Control Activity Specified by Organization
Control
COSO Principle 9: The entity identifies and assesses changes that could significantly
impact the system of internal control.
Test Applied by Auditor Test Results
Each year, the company conducts a formal risk assessment
exercise in accordance with the Risk Assessment and
Management Policy. The goal is to identify potential threats that
could compromise the security commitments and requirements
of the systems.
CC3.4.1
Review the records of the annual formal risk assessment exercise
and examine the Assessment and Management Policy.
The company implements a configuration management
procedure to ensure consistent deployment of system
configurations throughout the environment.
CC3.4.2
Evaluate the company's configuration management procedure to
validate its implementation, ensuring the constant deployment of
system configurations across the entirety of the environment.
The firm evaluates risks and scores based on their likelihood and
potential impact on platform security, availability, and
confidentiality. They are then linked to mitigating factors, wholly
or partially addressing the risks.
CC3.4.3
Examine risk mitigating factors related to risk evaluation
The company conducts penetration testing, develops a
remediation plan, and implements changes to address
vulnerabilities by SLAs.
CC3.4.4
Examine the company's penetration testing, verifying its annual
execution.
CC3.0 Risk Assessment
14. www.infosectrain.com
CC4.0 Monitoring Activities
CC4.1: Continuous Evaluation
Control Activity Specified by Organization
Control
COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present and functioning.
Test Applied by Auditor Test Results
The senior management of the firm designates an Information
Security Officer tasked with planning, evaluating, implementing,
and overseeing the internal control environment.
CC4.1.1
Examine the coordination of planning, assessment, and
implementation within the internal control environment.
The organization designates an Infrastructure owner responsible
for all assets listed in the inventory.
CC4.1.2
Examine the Infra Operations Person document, confirming their
responsibility for overseeing all holdings within the inventory.
The organization utilizes Sprinto, a continuous monitoring system,
to track and report the information security program's status to the
Information Security Officer and other stakeholders.
CC4.1.3
Examine the ongoing monitoring and reporting activities of the
Sprinto tool, which ensures the health of the information security
program is communicated to the Information Security Officer and
other stakeholders.
The senior management of the entity annually reviews and grants
approval for all company policies.
CC4.1.4
Examine the yearly company policy, which has undergone review
and received approval from Senior Management.
The firm conducts regular reviews and assessments of all
subservice organizations to verify their ability to fulfill customer
commitments.
CC4.1.5
Examine the subservice organizations outlined in the system and
note that they have undergone review and evaluation by the firm.
CC4.0 Monitoring Activities
15. www.infosectrain.com
CC4.2: Reporting of Control Deficiencies
Control Activity Specified by Organization
Control
COSO Principle 17: The entity evaluates and communicates internal control deficiencies in
a timely manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
Test Applied by Auditor Test Results
The company conducts annual control self-assessments to
ensure controls' presence and effective functioning, followed by
appropriate corrective actions in response to identified findings.
CC4.2.1
Examine the Secureframe platform to verify recent policy reviews
and publications. Additionally, examine the Information Security
Policy to confirm its annual review and updates, reinforcing
security control effectiveness.
The company informs employees through the Information
Security Policy about how to report problems, failures, incidents,
or concerns related to the services or systems they provide.
CC4.2.2
Examine Information Security Policy to ensure employees
understand how to report system problems.
The entity utilizes Sprinto, a continuous monitoring system, to
monitor and provide updates to the information security officer and
other relevant stakeholders about the status of the information
security program.
CC4.2.3
Examine the sprinto system and ensure it constantly tracks,
monitors, and reports the information security program's position to
the security officer and stakeholders.
Every year, Senior Management of the firm evaluates and
approves all corporate policies.
CC4.2.4
Examine the firm policies and ensure that Senior Management has
examined and supported them.
Each year, senior management of the entity evaluates and
approves the program's status for information security.
CC4.2.5
Examine the report on the internal audit assessment and ensure
that Senior Management has examined and given their approval.
CC4.0 Monitoring Activities
16. www.infosectrain.com
CC5.0 Control Activities
CC5.1: Risk Mitigating
Control Activity Specified by Organization
Control
COSO Principle 10: The entity selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
Test Applied by Auditor Test Results
The firm establishes a set of guidelines that outline acceptable
behavior about the firm's regulatory framework.
CC5.1.1
Examine the policies for the control environment.
The firm possesses a well-defined Acceptable Usage Policy
accessible to all employees through the firm's intranet.
CC5.1.2
Examine the Acceptable Usage Policy and ensure it is accessible to
all employees via the company's intranet.
Senior Management of the firm separates Roles and
Responsibilities to reduce risks to the services offered to its clients.
CC5.1.3
Examine and ensure that the firm's senior management has separate
Roles and Responsibilities to minimize risks to the services provided
to its clients.
The company maintains a documented risk management
program outlining procedures for identifying potential threats,
assessing their significance, and implementing mitigation
strategies for associated risks.
CC5.1.4
Examine the risk management program to verify its provision of
guidance in identifying potential hazards, evaluating risk
significance, and formulating mitigation strategies.
CC5.0 Control Activities
17. www.infosectrain.com
CC5.2: Establishment of Technology Control Activities
Control Activity Specified by Organization
Control
COSO Principle 11: The entity also selects and develops general control activities over
technology to support the achievement of objectives.
Test Applied by Auditor Test Results
The firm employs Sprinto, a continuous monitoring system, to
track and report to the information security officer and other
stakeholders on the state of the information security program.
CC5.2.1
Examine the ongoing monitoring capabilities of the Sprinto
software, which tracks, records, and updates the information
security officer and stakeholders on the program's status.
Each year, senior management of the firm evaluates and approves
the program's status for information security.
CC5.2.2
Examine the internal audit assessment report and ensure it
subsequently receives examination and approval from Senior
Management.
The structure of operations for all personnel is reviewed and
approved annually by the firm's Senior Management.
CC5.2.3
Examine the organizational staff chart and ensure it is subsequently
examined and approved by Senior Management.
Every subservice firm is routinely reviewed and evaluated by the
firm to make sure obligations to the firm's clients can be
maintained.
CC5.2.4
Examine that the system's subservice organizations undergo
regular reviews and evaluations.
The organization establishes policies detailing acceptable
behavior concerning the company's control environment.
CC5.2.5
Examine the guidelines for the control environment.
CC5.0 Control Activities
18. www.infosectrain.com
CC5.3: Implementing Control Policies
Control Activity Specified by Organization
Control
COSO Principle 12: The entity deploys control activities through policies that establish
what is expected and in procedures that put policies into action.
Test Applied by Auditor Test Results
The organization provides all employees access to policies and
procedures through the corporate intranet.
CC5.3.1
Examine the company's policies and practices and ensure they are
accessible to all employees through the corporate intranet.
Every year, the organization mandates that all employees review
and acknowledge the company's policies.
CC5.3.2 Examine the company's policies and ensure that every employee
has reviewed and approved them.
During onboarding, new employees must read and acknowledge the
company's policies, ensuring their awareness and preparedness to
meet their obligations.
CC5.3.3
Examine the duties assigned to new employees in the system and
ensure each employee has reviewed and approved them.
The organization creates a set of policies that outline acceptable
conduct about the control environment at the organization.
CC5.3.4
Examine system policies related to the control environment.
The organization defines its objectives to simplify the
identification and assessment of risks associated with them.
CC5.3.5
Examine the Risk Assessment and Treatment Policy to ensure that
risk categories have been specified to aid in identifying and
evaluating risk related to objectives.
CC5.0 Control Activities