Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or less mature organizations, this can be a potential hindrance in moving forward with a SOC 2. However, is a formal board of directors absolutely required to successfully address this criterion for a SOC 2 examination? Are other forms of governance sufficient? The purpose of this post is to examine this requirement in relation to a SOC 2 report and its application for organizations where a board of directors is not required or is not feasible or even unwarrant based on the nature of their entity.
What is a Board of Directors?
In the traditional sense (i.e. in relation to a corporation), a board of is a group of individuals, elected by shareholders, who form the governing body of the company and oversee management and the strategic direction of the organization. The board typically consists of internal executives as well as outside directors who are not employed or engage with the organization. The board of directors makes decisions on behalf of the company and its shareholders.
When is a Board of Required?
Certain organizations, such as public companies and S and C corporations, are legally required to have a board of directors in place. This is further defined by state laws. The board composition and roles and responsibilities are address in articles of incorporation, bylaws, and/or company charters. As such, public companies and corporations are well-positioned to satisfy requirements related to governance performed by the board of directors. However, limited liability companies (LLCs) and sole proprietorships, for example, are not require to have a board of directors. These organizations may elect to have a board of directors, but some may find it too costly or unnecessary to form a board of directors with independent board members.
What is the SOC 2 Requirement for a Board of Directors?
As set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, CC1.2 states:
“The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. The following points of focus, specified in the COSO framework, highlight important characteristics relating to this criterion:
- Establishes Oversight Responsibilities — The board of identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
- Operates Independently — The board of directors has sufficient members who are independent of management and objective in evaluations and decision making.
- Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.”
As stated, the criteria require that a board of directors be in place to provide adequate supervision and oversight of the organization. There appears to be little wiggle room when contemplating the need for a board of directors when engaging in a SOC 2 examination. However, the characteristics called out in the points of focus are not exclusive to a board of directors. A management team, or even an owner-manager, depending on the complexity of the organization, could fulfill the characteristics noted above. It seems reasonable that other forms of governance, depending on the nature of the entity, could provide adequate oversight where a board of directors is not in place.
Are There Alternatives to a Board ?
Per TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, the AICPA offers a broader definition of a board of directors:
“Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.”
Based on the definition provided by the AICPA as noted above, those with responsibility for overseeing the entity are not confined to the traditional board of directors model. Rather, the AICPA recognizes that different forms of governance, depending on the nature of the entity, may be sufficient for the organization to achieve its services commitments and system requirements. So, yes, different forms of governance, depending on the nature of the entity, may be sufficient as an alternative to a board of directors
For example, for a less complex organization with fewer personnel, a service auditor may conclude that a senior management team or executive committee provides sufficient oversight of the company and that the achievement of the service commitments and system requirements is not impacted by the lack of a formal board of directors. In such an environment, management likely participates heavily in the supervision and reviews of key controls thus providing oversight of internal controls. They would be influential in the organization’s commitment to ethical and legal conduct and would also be involve in the recruitment and evaluation of employees and consultants to ensure adequate knowledge and expertise are present. In addition, management teams in this setting generally possess adequate competence and knowledge of the organization and its processes to provide adequate oversight without overreliance on others within the organization.