Overview:
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Action Items:
1) Create organizational charts that define key areas of authority, responsibility, and lines of reporting. Then, publish this to the company intranet for employees to access and review.
2) Create, document, and maintain position descriptions for all employment positions in the company.
3) Inspect the organizational charts on the company intranet to determine that organizational charts are in place to communicate the defined key areas of authority, responsibility, and lines of reporting and are communicated to employees via the company intranet.
4) Inspect the documented position descriptions for a sample of employment positions to determine that documented position descriptions are in place for each employment position sampled to define the skills and knowledge levels required for the competence levels of particular jobs.
5) Inspect a recent report of internal control performance metrics provided to the board of directors to determine that management compiles and provides internal control performance metrics to the board of directors on an annual basis.
6) Inspect a recent report of internal control performance metrics to determine that an executive management team comprised of security personnel and executive staff has been established to guide the company in managing security, availability, privacy, processing integrity, and confidentiality risks.
Related Documents:
1) Organizational chart
2) Documented descriptions for all employment positions
3) Sample report of internal control performance metrics
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Considers all structures of the entity: Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives.
2) Establishes reporting lines: Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity.
3) Defines, assigns, and limits authorities and responsibilities: Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization.
4) Addresses specific requirements when defining authorities and responsibilities: Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.
5) Considers interactions with external parties when establishing structures, reporting lines, authorities, and responsibilities: Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.
Article ID: 218
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-entity-structures-reporting-lines-and-responsibilities-principle-3-cc1-3-218.html