SOC 2 Accountability of Responsibilities (Principle 5) (CC1.5)

Overview:
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Action Items:
1) Inspect the most recent strategy meeting minute notes to determine that management formally documents an organization strategy and performance policy and updates it on an annual basis to align internal control responsibilities, performance measures and incentives with company business objectives.
2) Inspect a recent report of internal control performance metrics provided to the board of directors to determine that management compiles and provides internal control performance metrics to the board of directors on an annual basis.
3) Inspect an example 360 degree review to determine that performance reviews are completed on an annual basis to evaluate the performance of employees against expected levels of performance.

Related Documents:
1) Board of directors strategy meeting minutes
2) Documented employee performance reviews
3) Sample report of internal control performance metrics

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Enforces Accountability Through Structures, Authorities, and Responsibilities—Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary.
2) Establishes Performance Measures, Incentives, and Rewards—Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.
3) Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance—Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.
4) Considers Excessive Pressures—Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
5) Evaluates Performance and Rewards or Disciplines Individuals—Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.