The information on this website is for general informational purposes only. Continuum GRC makes no representation or warranty, express or implied. Your use of the site is solely at your own risk. This site may contain links to third party content, which we do not warrant, endorse, or assume liability for.

Continuum GRC Survival Guidance - AICPA SOC 2

Security

CC1.1 - The entity demonstrates a commitment to integrity and ethical values.

CC1.1.1

Control Description - Should discuss the fact that the entity has a code of conduct or a code of ethical standards, and should address the fact that the board of directors or senior management have reviewed, updated if applicable, and approved it. Should also inquire of client as to whether the board completes this annually.

What we should test - Should inspect the code of conduct or code of ethical standards and note that the code does in fact outline the Company's commitments to integrity and ethical values. Should note that the board has reviewed, updated if applicable, and approved the code within examination period (may have to review board minutes for verification).

CC1.1.2

Control Description - Should discuss the fact that all personnel, including contractors, are required to read and accept the code of conduct or code of ethical standards upon hire, and also inquire if all personnel are required to formally reaffirm annually thereafter. Additionally, should discuss whether vendors are required to sign agreements that clearly define ethical standards, conditions, and responsibilities.

What we should test - Should take a selection of new hires to determine whether the code was signed and acknowledged upon hire. Should take a selection of current personnel to determine whether the code was reaffirmed annually. Should take a selection of vendor agreements to determine whether ethical standards, conditions, and responsibilities are clearly defined and agreed to.

CC1.1.3

Control Description - Should discuss how management monitors personnel compliance with the code of conduct or code of ethical standards, and also if there is an anonymous ethics hotline administered by a third-party.

What we should test - Should test call the hotline to confirm it is a working number. Should also inspect the code of conduct or code of ethical standards to determine whether it includes a sanctions policy for personnel who violate the code. Should also take a selection of any complaints that have been logged and inspect the documentation to determine whether the personnel was sanctioned as per the policy (if appl).

CC1.1.4

Control Description - Should discuss the Company's expectations of standards and how the code of conduct or code of ethical standards addresses any corrective actions made.

What we should test - Should inspect the code of conduct or code of ethical standards to determine if the expectations and corrective actions are listed. Should also take a selection of corrective action reports to determine the steps taken.

CC1.1.5

Control Description - Should discuss how exactly the Company screens its vendors, whether through background checks, makes them sign an NDA, makes them sign the code of conduct or code of ethical standards, etc.

What we should test - Take a sample of vendors and inspect the background checks, signed NDAs, signed codes, or anything else.

CC1.2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

CC1.2.1

Control Description - Should discuss the fact that the board is appointed to act on behalf of the shareholders and is independent of management. Should reference a board charter or agreement that each board member signs when accepting the position on the board.

What we should test - Should inspect the charter or agreement that is referenced to determine whether it indicates their independence and to document their acknowledgement.

CC1.2.2

Control Description - Should discuss whether the Board has requirements for its members, whether background checks are completed, whether skills and expertise are evaluated annually (possibly at annual board member meeting).

What we should test - Should inspect the board charter to determine if requirements are listed. Should also inspect the minutes from the annual meeting to determine that skills/backgrounds/expertise are discussed and compared to the board charter.

CC1.2.3

Control Description - Should discuss the fact that the board (or at least majority of the board) is independent from management.

What we should test - Inspect the board charter to determine whether the charter indicates the board is required to be majority independent. Should also inspect the actual members and cross-reference against senior management org chart to verify independence.

CC1.2.4

Control Description - Should discuss whether the Company has any committees (ex. Steering Committee) that provides support to the board.

What we should test - Inspect the Committee's structure to determine that the committee is in place. Should also inspect the charter to determine the roles and responsibilities (with respect to the trust principles under audit).

CC1.3 - Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

CC1.3.1

Control Description - Should discuss how management and the board evaluate its organizational structure, reporting lines, authorities, and responsibilities as part of its business planning process and as part of its ongoing risk assessment.

What we should test - Should inspect the annual business planning and risk assessment to determine whether organizations structure, reporting lines, authorities, and responsibilities were revised/discussed.

CC1.3.2

Control Description - Should discuss whether job descriptions are reviewed by management on an annual basis for needed changes to enable execution of authorities and responsibilities and flow of information to manage the activities of the Company.

What we should test - Should inspect the annual business planning and risk assessment to determine whether organizational structure, reporting lines, authorities, and responsibilities were revised/discussed.

CC1.3.3

Control Description - Should discuss whether job descriptions include defined roles and responsibilities and whether they are communicated to managers and supervisors taking into consideration segregation of duties as necessary. Should also include whether personnel are required to sign a copy of their job description to acknowledge their roles and responsibilities. Should also discuss whether the board and/or senior management periodically review the reporting relationships and organizational structures.

What we should test - Should inspect the organizational structure and job descriptions to determine whether organizational structure, reporting lines, authorities, and responsibilities are documented taking into consideration segregation of duties as necessary. Should also that a selection of new hires and internal transfers to determine whether the employees signed their job descriptions. Should also inspect the annual business planning and risk assessment to determine whether organization structure, reporting lines, authorities, and responsibilities were revised/discussed.

CC1.3.4

Control Description - Should discuss whether specific requirements with respect to authorities and responsibilities are defined (if appl.) in job descriptions. If there are specific requirements noted, the control should include this fact. If not, this will most likely be "lumped in" with CC1.3.3.

What we should test - see CC1.3.3.

CC1.3.5

Control Description - Should discuss how the Company communicates to external parties their structure, reporting lines, authorities, and responsibilities. This could include whether their website communicates this, or if specific documents are used and sent to external parties. Should also include whether job descriptions include roles and responsibilities for personnel when interacting with external parties, and whether personnel are required to sign their job description acknowledging these responsibilities.

What we should test - Should inspect the Company's website to determine whether it has the noted communication to external parties, or inspect the specific documents used. Should also take a selection of signed job descriptions to determine whether they include responsibilities for interacting with external parties, and note that they are signed.

CC1.4 - The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

CC1.4.1

Control Description - Should discuss how the Company establishes their policies and practices with respect to attracting, developing, and retaining competent individuals. This should be through job descriptions, specific policies describing the Company's practices, and/or specific trainings administered for personnel.

What we should test - Should inspect a selection of job descriptions, inspect policies, and/or inspect training outlines to determine whether the Company documented the requirements in the respective evidence provided.

CC1.4.2

Control Description - Should discuss how the Company evaluates their personnel. Should be through some sort of annual performance assessment, and the assessment should include how the Company were to address shortcomings (up to, and including, termination).

What we should test - Should inspect a selection of performance evaluations to determine that performance evaluations were completed, and that the Company addresses shortcomings.

CC1.4.3

Control Description - Should discuss how the Company attracts, develops, and retains individuals. This could include hiring qualifications, something in the employee handbook that outlines standards of performance, new hire orientation programs, etc.

What we should test - Should inspect job descriptions, employee handbook, new hire orientation programs, etc - whatever the Company references in the control.

CC1.4.4

Control Description - Should discuss whether the Company plans for succession. This can be done by senior management or board of directors. Should also discuss how the succession is documented (business continuity plan, succession plan, etc).

What we should test - Should inspect the board minutes indicating business continuity was discussed to determine how often the Company evaluates and reviews its continuity plan. Should also inspect the actual succession plan to determine whether the plan includes specific plans for assignments and responsibilities important for internal control.

CC1.4.5

Control Description - Should discuss whether the Company performs background checks, including credit, criminal, drug, and employment checks. Should also discuss whether the Company reperforms the background checks periodically (if not, that's okay - we may want to recommend they do).

What we should test - Should inspect a selection of background checks completed to determine whether all new hires have a background check completed, and what type(s) of checks (credit, criminal, drug, and/or employment). Should also take a sample of existing employees to determine whether background checks were reperformed (if appl).

CC1.4.6

Control Description - Should include whether the Company considers technical competency for new and existing personnel. This should include whether the Company has pre-employment screenings (whether competencies are on job descriptions and if Company reviews resumes), and whether annual performance evaluations cover technical competencies (could possibly include required CPE).

What we should test - Should inspect job descriptions and a selection of performance reviews to determine whether the Company addresses and considers technical competencies for new and existing personnel.

CC1.4.7

Control Description - This is a follow-up to 1.4.6 and should include the actual training (provided by the Company, whether internal or external) to maintain technical competencies.

What we should test - Should inspect a selection of personnel to confirm completed trainings (or inspect the sign-in list for the trainings). Should also inspect the training program to determine whether the Company provides the trainings (or the means to, if external).

CC1.5 - The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

CC1.5.1

Control Description - Should include how the Company enforces accountability. This can be done by having a policy noting personnel accountability, but should also discuss performance evaluations.

What we should test - Should inspect the policy and a selection of performance evaluations to determine whether the Company enforces accountability and implements corrective action as necessary.

CC1.5.2

Control Description - Should include how the Company establishes performance goals and provides incentives and/or rewards. This can be done by having a policy noting the reward structure, but should also discuss performance evaluations.

What we should test - Should inspect the policy and a selection of performance evaluations to determine whether the Company establishes performance goals and provides specific rewards and/or incentives for meeting goals (promotions, raises, bonuses, etc). If appl, should also inspect the annual Executive Compensation Package and determine if approved by the Compensation Committee.

CC1.5.3

Control Description - Should include how the Company measures performance. This can be a follow-up to, and included with, the previous control on the report.

What we should test - Should inspect policies and procedures and a selection of performance evaluations to determine whether the Company measures performance and provides specific rewards and/or incentives for meeting goals (promotions, raises, bonuses, etc). If appl, should also inspect the annual Executive Compensation Package and determine if approved by the Compensation Committee.

CC1.5.4

Control Description - Should include how the Company considers pressures with respect to the performance goals discussed in the previous two controls. This control may discuss how incentives are not based on the number of exceptions since this could ultimately end up leading to fraud.

What we should test - Should inspect policies and procedures and a selection of performance evaluations to determine whether the Company considers excessive pressures with respect to performance and provides specific rewards and/or incentives for meeting goals (promotions, raises, bonuses, etc). If appl, should also inspect the annual Executive Compensation Package and determine if approved by the Compensation Committee.

CC1.5.5

Control Description - Should discuss how the Company evaluates performance and whether the Company provides rewards or exercises disciplinary action.

What we should test - Should inspect policies and procedures and a selection of performance evaluations to determine whether the Company provides rewards or exercises disciplinary action when evaluating performance.

CC2.1 - The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

CC2.1.1

Control Description - Should discuss whether the Company has an assessment (at least annually) to identify the information required and expected to support the internal control and the achievement of the Company's service commitments and system requirements (include any specifics).

What we should test - Should inspect the annual assessment to determine whether the assessment identifies the information required to support internal controls and the achievement of the Company's service commitments and system requirements (including any specifics).

This control requirement may be confusing at first but examine things from a Data Classification and Data Labelling perspective. What types of data flow through the system under review? What types of data are contained in the system that the company is custodian for?

These are some good examples:

CC2.1.2

Control Description - Should discuss whether the Company has an assessment (at least annually) that captures internal and external data sources when identifying the information required to support the internal control and the achievement of the Company's service commitments and system requirements. This can most likely be grouped in with

What we should test - Should inspect the annual assessment to determine whether the assessment captures internal and external data sources when identifying the information required to support the internal control and the achievement of the Company's service commitments and system requirements.

CC2.1.3

Control Description - Should discuss whether the Company has an assessment (at least annually) to identify key information system processes that process relevant data into information to support the internal control and the achievement of the Company's service commitments and system requirements.

What we should test - Should inspect the annual assessment to determine whether the assessment identifies the key information system processes that process relevant data into information to support the internal control and the achievement of the Company's service commitments and system requirements.

CC2.1.4

Control Description - Should discuss whether the Company has implemented various processes and procedures to produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained.

What we should test - Should inspect the documented policies and procedures to determine that those document the Company's internal controls for producing timely, current, accurate, complete, accessible, protected, verifiable, and retained information, as applicable.

CC2.2 - The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

CC2.2.1

Control Description - Should discuss whether there is information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls that is provided to personnel to carry out their responsibilities.

What we should test - However the Company provides the information to the employees (whether on their intranet, disseminated and signed for by the employee, etc), we will need to test the actual dissemination. If on their intranet, look at a screenshot of it and determine that it is available to all employees. If employees sign receipt of the information, take a selection of employees and see their signature page.

CC2.2.2

Control Description - Should discuss how often senior management meets with the board of directors to communicate information needed to fulfill their roles with respect to the achievement of the Company's service commitments and system requirements.

What we should test - Inspect a selection of board minutes (always pick the annual board meeting and also a selection of any other meetings, like quarterly meetings) to determine whether the minutes documented discussion of key items with respect to the achievement of the Company's service commitments and system requirements.

CC2.2.3

Control Description - Should discuss whether the Company has a whistle-blower hotline, ideally administered by a third-party. If not administered by a third-party, that's not an exception. However, it is best practice to have the hotline be independent from the Company.

What we should test - Should call or email the whistle-blower hotline to determine the existence and whether it is actively monitored. For any complaints noted, inspect a selection to determine that personnel who violated the code of conduct were sanctioned as per the policy.

CC2.2.4

Control Description - Should discuss how the Company communicates information to all personnel to support the functioning of internal control, specifically considering the timing, audience, and nature of the information.

What we should test - Should inspect any board minutes that may be relevant, depending on the Company and their control description. Should also inspect documented incident response policies and procedures to determine whether they include an escalation tree and communication plans depending on the nature of the incident, including escalation to the board, as necessary.

CC2.2.5

Control Description - Should discuss whether responsibilities are communicated to internal and (possibly) external users, and how they are communicated.

What we should test - Should inspect whether policies and procedures are made available to internal and external users. Should inspect how they are communicated. Should also inspect each policy to determine whether it includes a history of changes with the respective dates of changes.

CC2.2.6

Control Description - Should discuss whether the Company has provided to internal and external users information on how to report security failures, incidents, concerns, and other complaints to appropriate personnel.

What we should test - Should inspect the Company's documented incident response policies and procedures to determine whether they include an escalation tree and communication plans depending on the nature of the incident, including escalation to the board, as necessary.

CC2.2.7

Control Description - Should discuss how the Company communicates changes to the Company's commitments and system requirements to internal and external users.

What we should test - Should inspect the lines of communication to determine whether changes are communicated to both internal and external users.

CC2.2.8

Control Description - Should discuss what training the Company provides as it relates to its security commitments and requirements for personnel to support the achievement of objectives. Can also include any guides or security alerts that are provided to external users (on website or customer portal).

What we should test - Should obtain completion documents indicating personnel attending and completing the required training (attendance sheets or completion certificates). Should also inspect the website and customer portal for external communication.

CC2.2.9

Control Description - Should discuss whether the Company posts a description of its system, system boundaries, and system processes that include infrastructure, software, people, processes and procedures, and data on its intranet for internal users and on the internet for external users.

What we should test - Should inspect the intranet and internet descriptions of the service organization's system, system boundaries, and system processes to determine whether the description addressed infrastructure, software, people, processes and procedures, and data for the in-scope technology and locations.

CC2.2.10

Control Description - Should include how the Company communicates its system objectives to personnel to enable them to carry out their responsibilities.

What we should test - Should inspect the lines of communication to determine whether all personnel have availability to system objectives in order to enable them to carry out their responsibilities.

CC2.2.11

Control Description - Should discuss how planned changes to system components are reviewed, scheduled, and communicated to appropriate personnel.

What we should test - Should inspect a selection of IT maintenance schedules and communications to determine whether planned system changes were included and had been reviewed and signed off by management. Should also inspect the customer portal to determine whether it includes a published calendar of upcoming system changes and that it is communicated to external users.

CC2.3 - The entity communicates with external parties regarding matters affecting the functioning of internal control.

CC2.3.1

Control Description - Should discuss and describe the process the Company has for communicating to external parties for any incidents affecting the functioning of internal control. This can be done through the use of an incident response policy and procedure perhaps.

What we should test - Inspect the policies and procedures to determine the Company has in place a process to communicate to external parties.

CC2.3.2

Control Description - Should discuss and describe how the Company allows for inbound communication from external parties. This is typically done through the "Contact Us" portion of their website. The Company should also have an anonymous hotline (typically administered by a third-party). The Company may also provide a service hotline for all vendors.

What we should test - Should inspect any policies and procedures that describe how the Company has inbound communication in place. Should also inspect the website and test dial/email the contact us phone number/email address to determine whether they actively use and monitor such communication channels.

CC2.3.3

Control Description - Should discuss whether senior management meets with the board of directors, and how often. Should discuss that the purpose of the meeting is to provide relevant information resulting from assessments conducted by external parties and any information provided by external parties. This is typically any audits completed and the board accepting the results of the audits (could be audit committee as well, if Company is big enough).

What we should test - Should inspect the minutes of all meetings to determine whether there was a discussion regarding relevant information resulting from assessments conducted by external parties or any information from external parties was provided. Should inspect the minutes to determine whether the board discussed and approved the SOC 2 report and any other external audits (year-end financial statement audit).

CC2.3.4

Control Description - Should discuss and describe how the Company allows for inbound communication from external parties. This is typically done through the "Contact Us" portion of their website. The Company should also have an anonymous hotline (typically administered by a third-party). The Company may also provide a service hotline for all vendors.

What we should test - Should inspect any policies and procedures that describe how the Company has inbound communication in place. Should also inspect the website and test dial/email the contact us phone number/email address to determine whether they actively use and monitor such communication channels.

CC2.3.5

Control Description - Should discuss how the Company communicates with external parties, what channels of communication are used, and whether those channels consider the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements.

What we should test - This control will tie in with a lot of the above controls. Should inspect the specific channels of communication to determine whether the Company considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements.

CC2.3.6

Control Description - Should discuss how the Company communicates with external parties with respect to the objectives related to confidentiality.

What we should test - Should inspect any policies and procedures related to the communication with external parties with respect to the objectives related to confidentiality. Should also inspect a selection of service agreements to determine whether the agreements reference the objectives related to confidentiality.

CC2.3.7

Control Description - Should discuss how the Company communicates with external parties with respect to the objectives related to privacy.

What we should test - Should inspect any policies and procedures related to the communication with external parties with respect to the objectives related to privacy. Should also inspect a selection of service agreements to determine whether the agreements include a privacy policy and if they reference the objectives related to privacy.

CC2.3.8

Control Description - Should discuss how the Company communicates with relevant external parties information about the design of the system and its operation and boundaries in order for the external parties to understand their roles and responsibilities.

What we should test - Should inspect any policies and procedures to determine whether the Company communicates information about the design of the system and its operation and boundaries to any relevant external parties.

CC2.3.9

Control Description - Should discuss how the Company communicates system objectives to external parties.

What we should test - Should inspect any policies and procedures to determine whether the Company communicates system objectives to external parties. Should also inspect a selection of service agreements to determine whether the agreements contain language communicating system objectives.

CC2.3.10

Control Description - Should discuss how the Company communicates system responsibilities to external parties who design, develop, implement, operate, maintain, and monitor system controls.

What we should test - Should inspect any policies and procedures to determine whether the Company communicates system responsibilities to external parties. Should also inspect a selection of service agreements to determine whether the agreements contain language communicating system responsibilities.

CC2.3.11

Control Description - Should discuss how the Company allows external parties to communicate information on system failures, incidents, concerns, and other matters involving internal controls.

What we should test - Should inspect the channels of communication the Company has for external parties to communicate such matters, and also test the channel of communication (test call or email) to determine whether the Company actively uses and monitors such channels.

CC3.1 - The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

CC3.1.1

Control Description - Should discuss whether the Company performs a risk assessment (at least annually) that reflects management's choices about structure, industry considerations, and performance of the entity.

What we should test - Should inspect the annual risk assessment to determine whether the risk assessment reflects management's choices about structure, industry considerations, and performance of the entity.

CC3.1.2

Control Description - Should discuss whether the Company's tolerance for risk (risk appetite) is considered as part of the annual risk assessment.

What we should test - Should inspect the annual risk assessment to determine whether the Company's risk appetite was considered as part of the risk assessment.

CC3.1.3

Control Description - Should discuss whether an annual budget is reviewed (by management or CFO), presented to the board, and approved by the board.

What we should test - Inspect the budget and the board minutes to determine whether the budget was reviewed, presented to, and approved by, the board.

CC3.1.4

Control Description - This is a follow-up to the previous control. Should discuss whether the annual budget is approved and whether resources are allocated appropriately to attain the desired operations and financial performance.

What we should test - Inspect the budget and the board minutes to determine whether the budget was approved and whether any additional resource were allocated to attain the desired operations and financial performance of the Company.

CC3.1.5

Control Description - This control is only applicable if the Company has an external financial statement audit completed. If so, should discuss whether the financial reporting complies with applicable accounting standards (generally GAAP). If not, leave this control out of the report as it will not be applicable.

What we should test - Because an independent audit is completed, we can rely on the report. Therefore, should inspect the annual financial statement audit to determine whether an unqualified (unmodified) opinion was presented. If so, simply state that in our testing response. If anything other than an unqualified (unmodified) opinion, discuss with Taylor or Jonathan to determine next steps.

CC3.1.6

Control Description - This control is only applicable if the Company has an external financial statement audit completed. If so, should discuss whether materiality was considered with respect to the external financial statement audit. If not, leave this control out of the report as it will not be applicable.

What we should test - Because an independent audit is completed, we can rely on the report. Therefore, should inspect the annual financial statement audit to determine whether an unqualified (unmodified) opinion was presented. If so, simply state that in our testing response. If anything other than an unqualified (unmodified) opinion, discuss with Taylor or Jonathan to determine next steps.

CC3.1.7

Control Description - This control is only applicable if the Company has an external financial statement audit completed. If so, should discuss whether the external financial statement audit reflects entity activities. If not, leave this control out of the report as it will not be applicable.

What we should test - Because an independent audit is completed, we can rely on the report. Therefore, should inspect the annual financial statement audit to determine whether an unqualified (unmodified) opinion was presented. If so, simply state that in our testing response. If anything other than an unqualified (unmodified) opinion, discuss with Taylor or Jonathan to determine next steps.

CC3.1.8

Control Description - Should discuss whether the Company complies with externally established frameworks for nonfinancial reporting (internal controls, laws, regulations, etc). May also discuss whether the Company has a specific committee or employee that has the responsibility to ensure compliance (steering committee, general counsel, etc).

What we should test - Should inspect policies and procedures to determine whether they outline the Company's compliance with any, and all, externally established frameworks. If applicable, should inspect job descriptions or committee minutes to determine whether the employee or committee is responsible to ensure compliance with externally established frameworks.

CC3.1.9

Control Description - Should discuss whether the Company and senior management consider the required level of precision to meet user needs with respect to nonfinancial reporting.

What we should test - Should inspect Company policies to determine whether the policies outline whether the Company and senior management consider the required level of precision to meet user needs (which could mean contractual, legal, and regulatory obligations, among other needs).

CC3.1.10

Control Description - Should discuss whether any external reporting reflects the underlying transactions and events within a range of acceptable limits with respect to nonfinancial reporting frameworks.

What we should test - Should inspect policies (such as a master services agreement) to determine whether they outline the responsibilities of the Company and the external auditor with respect to the underlying transactions and events being within acceptable limits.

CC3.1.11

Control Description - Should discuss how management's choices are reflected in managing the Company - this can be described through policies or through management updating the board in order for the board to make appropriate and informed decisions.

What we should test - Should inspect the policies and/or board minutes to determine whether management's choices are reflected in managing the Company.

CC3.1.12

Control Description - Should discuss how management requires a level of precision and accuracy suitable for user needs in nonfinancial reporting. If an external audit is completed, this should reference the use of materiality as well.

What we should test - Should inspect policies (such as a master services agreement) to determine whether a level of precision and accuracy is required in nonfinancial reporting as established by management. If an external audit is completed, we should inspect the report and reference the opinion, as above.

CC3.1.13

Control Description - Should discuss whether any internal reporting reflects the underlying transactions and events within a range of acceptable limits with respect to internal reporting objectives.

What we should test - Should inspect the policies that outline internal reporting objectives to determine whether they outline the responsibilities of management with respect to the underlying transactions and events being within acceptable limits.

CC3.1.14

Control Description - Should discuss how the Company integrates laws and regulations into compliance objectives, for example when creating its standards of conduct and other policies.

What we should test - Should inspect any policies or service agreements that outline the requirement of the Company to adhere to all laws and regulations.

CC3.1.15

Control Description - Should discuss whether the Company's tolerance for risk (risk appetite) is considered as part of the achievement of operations objectives.

What we should test - Should inspect the compliance policies to determine whether the Company's risk appetite was considered as part of the achievement of operations objectives.

CC3.1.16

Control Description - Should discuss how management establishes sub-objectives related to all trust service principles under audit (security, availability, processing integrity, confidentiality, and privacy) to support the achievement of objectives related to reporting, operations, and compliance. These could be outlined in compliance policies and/or service agreements.

What we should test - Should inspect the compliance policies and service agreements to determine whether management establishes sub-objectives related to trust service principles to support the achievement of objectives related to reporting, operations, and compliance.

CC3.2 - The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

CC3.2.1

Control Description - Should discuss how the Company identifies and assesses risks at each level relevant to the achievement of objectives. Should discuss specifics regarding steering committee, senior management, or the like meeting to discuss the strategy and operations, financial results, risk considerations, and other factors critical to the business.

What we should test - Should inspect minutes of the steering committee, or policies designed by management, to determine whether organizational strategy and operations, financial results, and risk considerations critical to the business were discussed.

CC3.2.2

Control Description - Should discuss whether a risk assessment is performed (at least annually) and identifies risks arising from external and internal sources and the effectiveness of control to mitigate those risks are shared with senior management and the board (and audit committee, if appl).

What we should test - Should inspect the annual risk assessment to determine whether risks arising from external and internal sources and effectiveness of controls to mitigate those risks were identified and communicated.

CC3.2.3

Control Description - Should discuss whether an overview of the annual risk assessment is presented to the board (or audit committee) as well as used to help establish the annual audit plan.

What we should test - Should inspect board minutes and meeting agendas from board meetings to determine whether an overview of the risk assessment was communicated.

CC3.2.4

Control Description - Should discuss how the Company analyzes and estimates the potential significance of identified risks. Should also include how often the Company assesses and responds to risks.

What we should test - Should inspect board minutes and meeting agendas from meetings (noted as often as is in the control) to determine whether risks and vulnerabilities were identified, assessed, and analyzed by management.

CC3.2.5

Control Description - Should discuss how the Company responds to risks identified, and whether to accept, avoid, reduce, or share the risks.

What we should test - Should inspect the annual risk assessment to determine whether risks were identified and whether the assessment noted whether to accept, avoid, reduce, or share the risks.

CC3.2.6

Control Description - Should discuss how management identifies and assesses criticality of information assets and identifies threats and vulnerabilities.

What we should test - Should inspect the annual risk assessment to determine whether management identifies and assesses criticality of information assets and identifies threats and vulnerabilities in the manner that is described in the control.

CC3.2.7

Control Description - Should discuss whether a company-wide risk assessment is performed annually by management and includes identifying threats to operations, including threats from vendors, business partners, and other parties.

What we should test - Should inspect the annual risk assessment documentation to determine whether they include the identification of threats to operations, including threats from vendors, business partners, and other parties.

CC3.2.8

Control Description - Should discuss whether a company-wide risk assessment is performed annually by management and includes whether the Company considers the potential significance of the identified risks.

What we should test - Should inspect the annual risk assessment documentation to determine whether they include whether the Company considers the potential significance of the identified risks.

CC3.3 - The entity considers the potential for fraud in assessing risks to the achievement of objectives.

CC3.3.1

Control Description - Should discuss whether management conducts a periodic fraud risk assessment to identify the various ways that fraud and misconduct can occur, including how management might engage in inappropriate actions, and maintains documentation of this assessment.

What we should test - Should inspect the fraud risk assessment documentation to determine whether management periodically evaluated and assessed the various way fraud and misconduct can occur and that documentation of the assessment was maintained.

CC3.3.2

Control Description - Should discuss whether the board (and/or audit committee, if appl) and management review the Company's compensation and performance evaluation programs annually to identify potential incentives and pressures for employees to commit fraud.

What we should test - Should inspect the fraud risk assessment documentation to determine whether compensation and performance evaluation programs were reviewed annually by the board (and/or audit committee, if appl) and management.

CC3.3.3

Control Description - Should discuss whether the Company has established measures to protect against unauthorized and willful acquisition, use, or disposal of assets.

What we should test - Should inspect the fraud risk assessment documentation to determine whether measures were established to protect against unauthorized and unwell acquisition, use, or disposal of assets.

CC3.3.4

Control Description - Should discuss whether a fraud risk assessment is conducted periodically that considers how management and other personnel might engage in or justify inappropriate actions.

What we should test - Should inspect the fraud risk assessment documentation to determine whether there is consideration of how management and other personnel might engage in or justify inappropriate actions.

CC3.3.5

Control Description - Should discuss whether management uses information technology tools including security systems, fraud detection and monitoring systems, and incident tracking systems to identify and manage fraud risk.

What we should test - Should inspect the fraud risk assessment documentation to determine whether management considered threats and vulnerabilities from the use of IT and access to information.

CC3.4 - The entity identifies and assesses changes that could significantly impact the system of internal control.

CC3.4.1

Control Description - Should discuss whether the Company, through its ongoing annual risk assessment process, evaluates changes in the regulatory, economic, and physical environment in which the Company operates.

What we should test - Should inspect the annual risk assessment documentation to determine whether management identified the need for new controls to address risks that were not adequately addressed by existing controls. Should also inspect a selection of change requests to determine whether management followed the change management process for new controls identified.

CC3.4.2

Control Description - Should discuss whether the Company, through its ongoing annual risk assessment process, evaluates changes in the potential impact of new business lines, dramatically altered business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.

What we should test - Should inspect the annual risk assessment documentation to determine whether management identified the need for new controls to address risks that were not adequately addressed by existing controls. Should also inspect a selection of change requests to determine whether management followed the change management process for new controls identified.

CC3.4.3

Control Description - Should discuss whether the Company, through its ongoing annual risk assessment process, evaluates changes in the management and respective attitudes and philosophies on the system of internal control.

What we should test - Should inspect the annual risk assessment documentation to determine whether management identified the need for new controls to address risks that were not adequately addressed by existing controls. Should also inspect a selection of change requests to determine whether management followed the change management process for new controls identified.

CC3.4.4

Control Description - Should discuss whether the Company, through its ongoing annual risk assessment process, evaluates changes in the Company's systems and changes in the technology environment.

What we should test - Should inspect the annual risk assessment documentation to determine whether management identified the need for new controls to address risks that were not adequately addressed by existing controls. Should also inspect a selection of change requests to determine whether management followed the change management process for new controls identified.

CC3.4.5

Control Description - Should discuss whether the Company, through its ongoing annual risk assessment process, evaluates changes in vendor and business partner relationships.

What we should test - Should inspect the annual risk assessment documentation to determine whether management identified the need for new controls to address risks that were not adequately addressed by existing controls. Should also inspect a selection of change requests to determine whether management followed the change management process for new controls identified.

CC4.1 - The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

CC4.1.1

Control Description - Should discuss what the Company does to maintain ongoing and separate evaluations, whether this be conducted by management or internal audit.

What we should test - Should inspect policies and procedures defining the ongoing and separate evaluations.

CC4.1.2

Control Description - Should discuss whether the Company and management consider the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.

What we should test - Should inspect policies and procedures to determine whether the Company and management consider the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.

CC4.1.3

Control Description - Should include whether the Company developed, documented, and maintained a baseline configuration of the internal control system.

What we should test - Should inspect the baseline configuration documentation to determine whether the design and current state of the internal control system was used to establish a baseline for ongoing and separate evaluations.

CC4.1.4

Control Description - Should discuss whether the Company provides trainings, as well as annual performance reviews, for internal audit personnel.

What we should test - Should obtain attendance sheets for trainings or certificates of completion, as well as the annual performance reviews for internal audit personnel. Should determine whether employees signed the attendance sheet, or have a certificate of completion, for all training sessions and updates.

CC4.1.5

Control Description - Should discuss whether ongoing evaluations adjust due to changing conditions or any potential changes impacting the Company's risk profile.

What we should test - Should inspect the internal audit plan assessment to determine whether the internal audit plan and scope was assessed to identify potential changes impacting the Company's risk profile.

CC4.1.6

Control Description - Should discuss whether the Company adjusts the scope and frequency of ongoing evaluations due to changing conditions or any potential changes impacting the Company's risk profile.

What we should test - Should inspect the internal audit plan assessment to determine whether the internal audit plan and scope was assessed to identify potential changes impacting the Company's risk profile.

CC4.1.7

Control Description - Should discuss whether the audit team (whether using internal or external for the audit of internal controls) is independent of management.

What we should test - Should inspect the organizational chart to determine whether internal audit team is independent of management and reports to an audit committee, if appl., or if external audit is used that is independent of the Company.

CC4.1.8

Control Description - Should discuss whether the service organization performs different types of ongoing and separate evaluations (may include other audits - CJIS, FedRAMP, ISO, etc).

What we should test - Should inspect any other audits completed and note the opinion of the audit report.

CC4.2 - The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

CC4.2.1

Control Description - Should discuss whether complete reports of deficiencies in internal control from internal and external sources are provided to the board and audit committee, and whether the board and audit committee work with management to suggest appropriate remediation and follow up to ensure that proper controls have been established.

What we should test - Should inspect minutes from the annual board meeting and audit reports to determine whether deficiencies in internal control and external sources were reported to the board and audit committee.

CC4.2.2

Control Description - Should discuss whether the Company has established a practice that requires all deficiencies rated as serious threats to be reported to senior management and to the board or audit committee.

What we should test - Should inspect minutes from the annual board meeting to determine whether the deficiencies rated as serious threats were reported to the board.

CC4.2.3

Control Description - Should discuss whether the board and/or audit committee track the status of all deficiencies that have been rated as a serious threat to the organization until satisfactorily resolved.

What we should test - Should inspect the deficiency tracking matrix to determine whether deficiencies rated as serious threats to the organization were tracked to resolution by the board and/or audit committee.

CC5.1 - The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

CC5.1.1

Control Description - Should discuss whether management uses its annual risk assessment to link the identified risks to controls that have been designed and operated to address them, and whether there is a need for new controls, management develops the requirements for the new controls and uses the change management process to implement them.

What we should test - Should obtain and inspect the annual risk assessment documentation to determine whether new controls were implemented for any risks not adequately addressed by existing controls. Should also inspect a selection of system change requests to determine whether the change management process was followed.

CC5.1.2

Control Description - Should discuss whether management uses its annual risk assessment to assess the environment, complexity, nature, and scope of its operations when developing control activities to mitigate the risks.

What we should test - Should obtain and inspect the annual risk assessment documentation to determine whether management assessed the environment, complexity, nature, and scope of its operations when developing control activities to mitigate the risks.

CC5.1.3

Control Description - Should discuss whether management determines which relevant business processes require control activities.

What we should test - Should inspect policies and procedures to determine whether management determines which relevant business processes require control activities.

CC5.1.4

Control Description - Should discuss how and when management identifies the need for new controls, and whether they consider a mix of control activities, including both manual and automated controls and preventive and detective controls.

What we should test - Should obtain and inspect the annual risk assessment documentation to determine whether management considered a mix of control activities to mitigate the identified risks.

CC5.1.5

Control Description - Should discuss whether management considers control activities at various levels in the entity.

What we should test - Should obtain and inspect the annual risk assessment documentation to determine whether management considered control activities at various levels in the entity.

CC5.1.6

Control Description - Should discuss whether the Company has designed application-enforced segregation of duties to define what privileges are assigned to users within applications.

What we should test - Should inspect the access control policy to determine whether application controls were designed to enforce segregation of duties to users within applications.

CC5.2 - The entity also selects and develops general control activities over technology to support the achievement of objectives.

CC5.2.1

Control Description - Should discuss whether the Company has an IT strategic plan and whether strategic IT risks affecting the organization and recommended courses of action are identified and discussed.

What we should test - Should inspect the annual IT strategic plan documentation to determine whether IT risk affecting the organization and recommended courses of action were identified and discussed.

CC5.2.2

Control Description - Should discuss whether management developed a list of control activities to manage the technology infrastructure risks identified during the annual risk assessment process.

What we should test - Should inspect the annual risk assessment, internal audit plan, and audit program for the attestation period to determine whether management developed and implemented control activities over the technology infrastructure.

CC5.2.3

Control Description - Should discuss whether management developed a list of control activities to manage the security access management risks identified during the annual risk assessment process.

What we should test - Should inspect the annual risk assessment, internal audit plan, and audit program for the attestation period to determine whether management developed and implemented control activities designed to restrict technology access rights to authorized users commensurate with their job responsibilities and protect corporate assets from external threats.

CC5.2.4

Control Description - Should discuss whether the Company employs organization-defined tailored acquisition strategies and procurement methods for the purchase, development, and maintenance of information systems, system components, or information system services from technology suppliers.

What we should test - Should inspect the procurement policy manual to determine whether management employed acquisition strategies and procurement methods for the purchase, development, and maintenance of information systems, system components, or information system services from technology suppliers.

CC5.3 - The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

CC5.3.1

Control Description - Should discuss whether the Company's policy and procedures manuals address controls over significant aspects of operations. May want to list out the policy sections (examples include: security requirements for authorized users; data classification and associated protection, access rights, retention, and destruction requirements; risk assessment; access protection requirements; user provisioning and deprovisioning; responsibility and accountability for security; responsibility and accountability for system changes and maintenance; change management; complaint intake and resolution; security and other incidents identification, response, and mitigation; security training; handling of exceptions and situations not specifically addressed in policies; commitment and requirement identification and compliance measurement; information sharing and disclosure).

What we should test - Should inspect the policy and procedure manuals to determine whether they included section headings that addressed controls over the significant aspects of system operations.

CC5.3.2

Control Description - Should discuss whether the Company has a team or committee (ex. Steering Committee) that is charged with establishing, maintaining, and enforcing the overall security policies and procedures.

What we should test - Should inspect a selection of minutes from the meetings of the committee to determine whether the committee was charged with establishing, maintaining, and enforcing the overall security policies and procedures.

CC5.3.3

Control Description - Should discuss whether the Company has periodic (weekly, monthly) service level assessments that are performed by the functional heads of each department and whether these assessments include evaluation of the operation of key controls.

What we should test - Should inspect a selection of the periodic assessments to determine whether the evaluation of the operation of key controls were performed by department heads.

CC5.3.4

Control Description - Should discuss whether assessments are reviewed periodically by management and whether they require the development of corrective action plans for control weaknesses.

What we should test - Should inspect a selection of minutes from the meetings of the committee to determine whether the committee put into place corrective action plans for control weaknesses that management needs to review.

CC5.3.5

Control Description - Should discuss whether the Company has written job descriptions specifying the responsibilities and the academic and professional requirements for key job positions. Should also discuss whether human resources personnel screen job applicant qualifications based on the defined requirements within the job description.

What we should test - Obtain and inspect a selection of job descriptions for key job positions to determine whether the job descriptions included responsibilities and academic and professional requirements. Should also take a selection of employees and inspect their employee file to determine whether transcripts, references, or other requirements were confirmed by human resources.

CC5.3.6

Control Description - Should discuss whether the Company's policy and procedure manuals are reviewed at least annually by senior management for consistency with the Company's risk mitigation strategy and updated as necessary for changes in the strategy.

What we should test - Should inspect the policy and procedure manuals to determine whether policies and procedures had been updated for changes in the risk mitigation strategy, and whether an (at least) annual review had been performed by senior management.

CC6.1 - The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

CC6.1.1

Control Description - Should discuss whether the Company monitors all system components (ex - through an automated management interface) to log, track, and maintain all inventory components.

What we should test - Should inspect the automated inventory management tool to determine whether the tool is in place to monitor the system components.

CC6.1.2

Control Description - Should discuss whether the Company requires logical access restrictions by using multi-factor authentication and a virtual private network (VPN).

What we should test - If possible, observe a remote login session to determine that multi-factor authentication and a VPN was required to access the production network (or screenshots of the login session).

CC6.1.3

Control Description - Should discuss how the Company identifies and authenticates users by requiring unique username and passwords.

What we should test - Should inspect login attempts to determine that the system components required authentication measures for users, and should also inspect system settings requiring unique usernames and passwords.

CC6.1.4

Control Description - Should discuss whether the Company considers network segmentation perhaps by requiring end user and server workload network traffic to be segmented to support isolation.

What we should test - Should inspect the network diagram and configurations to determine whether customer environments and data are segmented.

CC6.1.5

Control Description - Should discuss whether management performs a periodic access review for the in-scope system components to ensure that access is restricted appropriately and whether tickets are created to remove access as necessary in a timely manner.

What we should test - Should inspect access review documentation to determine that an access review was performed for in-scope system components and that tickets were created to remove inappropriate access.

CC6.1.6

Control Description - Should discuss whether the Company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

What we should test - Should inspect the data classification policy to determine whether procedures existed around classifying and protecting confidential information.

CC6.1.7

Control Description - Should discuss whether passwords for in-scope system components are configured according to a Company policy, and what the password requirements are.

What we should test - Should inspect the in-scope system components to determine whether passwords were configured according to Company policy.

CC6.1.8

Control Description - Should discuss whether the Company has a configuration management policy that requires that all system changes undergo formal documentation, review, and authorization.

What we should test - Should inspect the configuration management policy to determine whether all changes to the system are to be configuration controlled, approved, and a risk analysis is performed.

CC6.1.9

Control Description - Should discuss whether database housing sensitive customer data are encrypted at rest.

What we should test - Should inspect database configurations to determine whether databases were encrypted at rest.

CC6.1.10

Control Description - Should discuss whether the Company protects its encryption keys by having all encryption keys encrypted themselves with a unique master key.

What we should test - Should inspect the configuration for the encryption process to determine whether encryption activities us an acceptable cryptographic algorithm.

CC6.2 - Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

CC6.2.1

Control Description - Should discuss whether access to in-scope system components requires a documented access request form and manager approval prior to access being provisioned.

What we should test - Should inspect access request forms for a selection of new hires that received access to the in-scope system components to determine wither an access provisioning request was approved prior to access being provisioned.

CC6.2.2

Control Description - Should discuss whether a termination checklist is completed and access is revoked for employees within a reasonable time (24 hours) as part of the termination process.

What we should test - Should inspect the termination process and a selection of terminated employees to determine whether a termination checklist was complete, including revoking access to the in-scope system after their separation. Should also inspect a listing of terminated employees and compare that to a listing of active users to determine whether terminated employees did not retain access to the in-scope system and platforms after their separation.

CC6.2.3

Control Description - Should discuss whether management performs a periodic access review (quarterly) for the in-scope system components to ensure that access is restricted appropriately, and whether tickets are created to remove access as necessary in a timely manner.

What we should test - Should inspect the access review documentation for a selection of quarters (depending on how often the review occurs) to determine that an access review was performed for in-scope system components and that tickets were created to remove inappropriate access.

CC6.3 - The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives.

CC6.3.1

Control Description - Should discuss whether asset owners periodically review access to ensure continued appropriateness.

What we should test - Should interview asset owners and inspect documentation to determine whether appropriate procedures are in place to remove or modify application access as needed.

CC6.3.2

Control Description - Should discuss whether a termination checklist is completed and access is revoked for employees within a reasonable time (24 hours) as part of the termination process.

What we should test - Should inspect the termination process and a selection of terminated employees to determine whether a termination checklist was complete, including revoking access to the in-scope system after their separation. Should also inspect a listing of terminated employees and compare that to a listing of active users to determine whether terminated employees did not retain access to the in-scope system and platforms after their separation.

CC6.3.3

Control Description - Should discuss whether the Company establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles.

What we should test - Should inspect the access control policy to determine whether the role-based access scheme was employed to organize information system and network privileges into roles.

Note - If the client is using AWS or Azure for cloud service, and has no physical location, we can note that for all responses in this section.

CC6.4 - The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity's objectives.

CC6.4.1

Control Description - Should discuss whether access to the data centers requires a documented access request form and manager approval prior to access being provisioned.

What we should test - Should inspect access request forms for a selection of new hires that received access to the data centers to determine whether an access provisioning request was approved prior to access being provisioned.

CC6.4.2

Control Description - Should discuss whether a termination checklist is completed and access is revoked for employees within a reasonable time (24 hours) as part of the termination process.

What we should test - Should inspect the termination process and a selection of terminated employees to determine whether a termination checklist was complete, including revoking access to the in-scope system after their separation. Should also inspect a listing of terminated employees and compare that to a listing of active users to determine whether terminated employees did not retain access to the in-scope system and platforms after their separation.

CC6.4.3

Control Description - Should discuss whether access to the data centers is reviewed periodically (quarterly) by management.

What we should test - Should inspect a selection of physical access reviews completed by management to determine whether physical access to the data centers was reviewed on a periodic basis.

CC6.5 - The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives.

CC6.5.1

Control Description - Should discuss whether the Company has formal data retention and disposal procedures are in place to guide the secure disposal of the Company's and customers' data.

What we should test - Should inspect the data retention and disposal procedures to determine whether they were in place.

CC6.5.2

Control Description - Should discuss whether the Company completely degaussed and sanitized all digital media to remove any data and software prior to removal from Company facilities.

What we should test - Should examine media sanitation records for an agreed-upon selection of digital information system media to be sanitized to determine whether measures are being applied to sanitize digital media prior to disposal.

CC6.6 - The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC6.6.1

Control Description - Should discuss whether the Company has system firewalls that are configured to limit unnecessary ports, protocols, and services, and whether the only ports open into the environment are defined.

What we should test - Should inspect the firewall configurations and rulesets employed within the environment to determine whether the permit rules aligned with the specified networking protocols permitted for inbound network traffic.

CC6.6.2

Control Description - Should discuss whether the Company protects identification and authentication credentials, possibly by deploying Transport Layer Security (TLS) for transmission of confidential and/or sensitive information over public networks.

What we should test - Should inspect the TLS (or whatever they use) settings to determine that transmission of confidential and/or sensitive information over public networks was encrypted.

CC6.6.3

Control Description - Should discuss whether the Company permits remote access to production systems by authorized employees only with multi-factor authentication (MFA) over encrypted virtual private network (VPN) connection.

What we should test - Should observe a remote login session to determine that MFA VPN was required to access the production network.

CC6.6.4

Control Description - Should discuss whether the Company has intrusion detection systems that are used to provide continuous monitoring of the Company's network and prevention of potential security breaches.

What we should test - Should inspect the intrusion detection system configurations to determine whether continuous monitoring of the Company's network and early prevention of potential security breaches were in place.

CC6.7 - The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.

CC6.7.1

Control Description - Should discuss whether the information system restricts the ability of users to transmit, move, or remove system information to other information systems or networks.

What we should test - Should inspect the system and communications protection policy and procedures and associated system configuration settings to determine whether the information system restricts the ability of users to transmit, move, or remove system information.

CC6.7.2

Control Description - Should discuss whether the Company has secure file transfer protocols (SFTP) and whether they are deployed for transmission of confidential and/or sensitive information over public networks.

What we should test - Should inspect SFTP configurations to determine whether SFTP was used for the transmission of confidential and/or sensitive information over public networks.

CC6.7.3

Control Description - Should discuss whether removable media to be used for customer or system data is encrypted and sanitized prior to connecting such devices to the information system - or whether the Company allows for removable media to be used at all.

What we should test - Should inspect the information system media protection policy and procedures and media sanitization records to determine that removable media is encrypted and sanitized prior to use - or inspect removable media policy indicating the restricted use, and observe (if possible) the attempted use to see that the system will not recognize the removable media.

CC6.7.4

Control Description - Should discuss whether mobile device access to production systems is permitted by authorized devices only with multi-factor authentication (MFA) over encrypted virtual private network (VPN) connection.

What we should test - Should observe a remote login session to determine that MFA VPN was required to access the production network, and also inspect the MFA VPN configurations to determine whether user identification numbers, names, and passwords are required.

CC6.8 - The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives.

CC6.8.1

Control Description - Should discuss whether the Company requires that only authorized system administrators are able to install software on system devices, and that unauthorized use or installation of software is explicitly covered in the employee handbook.

What we should test - Should inspect the employee handbook and verify that the policies prohibit installation of software by users, and installation is limited to system administrators.

CC6.8.2

Control Description - Should discuss whether the Company has a security center monitoring system and logs and alerts system administrators of software installation or attempted software installation.

What we should test - Should inspect documentation describing the current configuration settings for a selection of the automated mechanisms to determine whether these mechanisms are configured as required.

CC6.8.3

Control Description - Should discuss whether the Company has formally documented change management procedures (including emergency procedures) that are in place to govern the modification and maintenance of production systems and address security requirements.

What we should test - Should inspect the change management procedures to determine whether procedures were in place to govern the modification and maintenance of production systems and addressed security requirements.

CC6.8.4

Control Description - Should discuss whether anti-malware technology is deployed for environments commonly susceptible to malicious attack, and whether the software is used to scan assets prior to being placed into production.

What we should test - Should inspect screenshots of anti-malware software configurations (virus definition update, scan schedule, notifications, and evidence that software is deployed on all servers) to determine whether anti-virus was updated routinely, logged, and installed on all production servers.

CC6.8.5

Control Description - Should discuss whether the Company uses logging and monitoring software to collect data from system infrastructure components and endpoint systems and used to monitor system performance, potential security threats and vulnerabilities, resource utilization, and to detect unusual system activity or service requests.

What we should test - Should inspect installed software inventory for use of logging and monitoring software to determine whether the Company uses logging and monitoring software to collect data from system infrastructure components and endpoint systems.

CC7.1 - To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

CC7.1.1

Control Description - Should discuss whether baseline configurations are retained within a configuration manager tool for roll back capability anytime an approved configuration change is made, and whether baseline configurations are reviewed and updated periodically (annually, quarterly), when required due to reviews and system changes, and anytime integral system components are added.

What we should test - Should inspect the configuration manager tool to determine whether baseline configurations are retained and up to date for applicable system changes.

CC7.1.2

Control Description - Should discuss whether an IT infrastructure monitoring tool is utilized to monitor IT infrastructure availability and performance and whether the tool generates alerts when specific predefined thresholds are met.

What we should test - Should inspect IT infrastructure monitoring tool configurations and Company notifications to determine whether the IT infrastructure monitoring tools were utilized to monitor IT infrastructure availability and performance and generated alerts when specific predefined thresholds were met.

CC7.1.3

Control Description - Should discuss whether the Company utilizes a configuration monitoring tool that notifies management of changes to production systems.

What we should test - Should inspect alert configurations settings and Company notifications to determine whether a configuration monitoring tool monitored and alerted management of changes to production.

CC7.1.4

Control Description - Should discuss whether automated mechanisms are used to continuously detect the addition of unauthorized components/devices into the system, and whether the configuration monitoring tool logs all changes in status to network switch ports. Should also discuss whether any attempts to insert or install a component immediately sends an alert to the monitoring tool and creates a ticket.

What we should test - Should inspect configuration settings for the monitoring tool and Company notifications to determine whether a configuration monitoring tool monitored and alerted management of any unauthorized components.

CC7.1.5

Control Description - Should discuss whether internal and external network vulnerability scans are performed periodically (quarterly), and whether a remediation plan is developed and changes are implemented to remediate all critical and high vulnerabilities at a minimum.

What we should test - Should inspect internal and external vulnerability scans for a selection of quarters to determine whether internal and external vulnerability scans were performed quarterly and remediation plans were developed to remediate all critical and high vulnerabilities.

CC7.2 - The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.2.1

Control Description - Should discuss how the Company implements detection policies, procedures, and tools, and whether user entities are provided with instructions for communicating potential security breaches to the information security team.

What we should test - Should inspect the policies and procedures as well as the instructions provided to user entities to determine whether they include protocols for communicating potential security breaches.

CC7.2.2

Control Description - Should discuss whether the Company has a defined incident management process that is initiated by authorized personnel when a potential security incident is detected, and also whether corrective actions are implemented in accordance with defined policies and procedures.

What we should test - Should inspect the written incident management procedures to determine whether the procedures include a process for handling the security incident.

CC7.2.3

Control Description - Should discuss whether the Company implements filters to analyze anomalies through procedures to filter, summarize, and analyze anomalies to identify security events.

What we should test - Should inspect the policies and procedures to determine whether the Company implements filters to analyze anomalies.

CC7.2.4

Control Description - Should discuss whether intrusion detection systems are used to provide continuous monitoring of the Company's network and prevention of potential security breaches.

What we should test - Should inspect intrusion detection system configurations to determine whether continuous monitoring of the Company's network and early prevention of potential security breaches were in place.

CC7.3 - The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.

CC7.3.1

Control Description - Should discuss whether the Company has developed security incident response policies and procedures that are communicated to authorized users.

What we should test - Should inspect incident response policies and procedures to determine whether an incident response plan was documented and communicated to authorized users.

CC7.3.2

Control Description - Should discuss whether all incidents related to the security of the system are logged, tracked, and communicated to affected parties by management until resolved.

What we should test - Should inspect a selection of IT security incident tickets to determine that an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.3.3

Control Description - Should discuss whether the Company has procedures in place to analyze security incidents and determine system impact.

What we should test - Should inspect policies and procedures to determine whether the Company has procedures in place to analyze security incidents.

CC7.3.4

Control Description - Should discuss whether the Company has policies and procedures to evaluate detected security events to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.

What we should test - Should inspect the policies and procedures to determine whether the Company has procedures in place to evaluate detected security events to determine whether they could or did result in the loss of personal information.

CC7.3.5

Control Description - Should discuss whether the Company has policies and procedures to determine whether an unauthorized use or disclosure of personal information has occurred.

What we should test - Should inspect the policies and procedures to determine whether the Company has procedures in place to determine whether an unauthorized use or disclosure of personal information occurred.

CC7.4 - The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.

CC7.4.1

Control Description - Should discuss whether management has established defined roles and responsibilities to oversee implementation of information security policies including incident response.

What we should test - Should inspect security policies to determine whether the Company has established defined roles and responsibilities to oversee implementation of the incident response plan.

CC7.4.2

Control Description - Should discuss whether specific personnel are engaged in the containment process to reduce the magnitude of the incident after an incident has been confirmed.

What we should test - Should inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.4.3

Control Description - Should discuss how the Company mitigates ongoing security incidents by having procedures in place.

What we should test - Should inspect the procedures to determine whether the Company mitigate ongoing security incidents, and also inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.4.4

Control Description - Should discuss whether the Company has procedures in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.

What we should test - Should inspect the procedures to determine whether the Company has procedures in place to end the threats posed by security incidents, and also inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.4.5

Control Description - Should discuss how the Company is able to restore operations, likely by having daily incremental and weekly full backups that are configured for the databases.

What we should test - Should inspect the policies and procedures that enable the Company to restore operations, and in the case of backups, should observe backup configuration to determine whether daily incremental and weekly full backups were configured for the databases.

CC7.4.6

Control Description - Should discuss whether all incidents related to the security of the system are logged, tracked, and communicated to affected parties by management until resolved.

What we should test - Should inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.4.7

Control Description - Should discuss how the Company obtains an understanding of the nature of the incident(s) and determines containment strategies, and what those strategies are.

What we should test - Should inspect established containment strategies within an incident response plan, and also inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.4.8

Control Description - Should discuss whether internal and external network vulnerability scans are performed periodically (quarterly), and whether a remediation plan is developed and changes are implemented to remediate all critical and high vulnerabilities at a minimum.

What we should test - Should inspect internal and external vulnerability scans for a selection of quarters to determine whether internal and external vulnerability scans were performed and remediation plans were developed to remediate all critical and high vulnerabilities.

CC7.4.9

Control Description - Should discuss whether the Company has remediation activities that are documented and communicated in accordance with the incident response program.

What we should test - Should inspect the incident response program to determine whether the Company has documented remediation activities that are communicated to the appropriate parties.

CC7.4.10

Control Description - Should discuss whether the Company evaluates the effectiveness of incident response on a periodic (quarterly, annually) basis, and also whether the Company incorporates lessons learned from ongoing incident response activities.

What we should test - Should inspect the incident response plan to determine whether the document has been reviewed and revised every quarter/year and whether changes were incorporated from prior incidents and associated lessons learned.

CC7.4.11

Control Description - Should discuss whether the Company evaluates the effectiveness of incident response on a periodic (quarterly, annually) basis, and also whether management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy.

What we should test - Should inspect the incident response plan to determine whether the document has been reviewed and revised every quarter/year and whether changes were incorporated from prior incidents and associated lessons learned.

CC7.4.12

Control Description - Should discuss whether the Company has established an incident response plan to respond to events that result in unauthorized use or disclosure of personal information and ensure it is communicated to the data subjects, legal and regulatory authorities, and others as required.

What we should test - Should inspect the incident response plan to determine whether the Company communicates unauthorized use and disclosure of personal information to the data subjects, legal and regulatory authorities, and others as required.

CC7.4.13

Control Description - Should discuss how the Company applies sanctions to individuals and organizations operating under the authority of the Company for being involved in the unauthorized use or disclosure of personal information, in accordance with policies and procedures and legal and regulatory requirements.

What we should test - Should inspect the policies and procedures to determine whether they address how the Company will apply sanctions for unauthorized use or disclosure of personal information.

CC7.5 - The entity identifies, develops, and implements activities to recover from identified security incidents.

CC7.5.1

Control Description - Should discuss how the Company restores the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations.

What we should test - Should inspect the configuration management policy to determine whether all changes including patches/updates are configuration controlled. If appl, inspect a selection of patch updates to determine that patches were tested in accordance with the configuration management policy prior to being placed into production.

CC7.5.2

Control Description - Should discuss whether all incidents related to the security of the system are logged, tracked, and communicated to affected parties by management until resolved.

What we should test - Should inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.5.3

Control Description - Should discuss whether a technician or administrator being responsible for security incident tickets follows a process of analyzing the security incident, detailing what specific attack occurred and which system(s) were affected, and determining the root cause of the event.

What we should test - Should inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.5.4

Control Description - Should discuss how the Company implements changes to prevent and detect recurrences, possibly by having an assessment of the incident response to better handle future incidents and perform an analysis on after-action reports or mitigation of exploited vulnerabilities to prevent similar incidents in the future.

What we should test - Should inspect a selection of IT security incident tickets to determine whether an incident response plan was initiated by authorized personnel, threats are mitigated, corrective action plans were documented, incidents were tracked until resolved, and an after-action report was prepared.

CC7.5.5

Control Description - Should discuss whether the Company incorporates lessons learned from ongoing incident response activities into incident response procedures accordingly, and if changes are required, necessary changes are made to the policy and procedures and redistributed according to all responsible organizations and key personnel.

What we should test - Should inspect the incident response plan to determine whether the document has been reviewed and revised every year and changes were incorporated from prior incidents and associated lessons learned.

CC7.5.6

Control Description - Should discuss whether periodic (annual) testing of the incident response plan is performed using exercises and simulations to ensure the incident response procedures are up-to-date and accurate, and whether lessons learned from exercises are used to implement changes to reflect effective procedures when handling incidents.

What we should test - Should inspect documentation for the most recent incident response plan review to determine whether the plan was tested within the past year, and that drill conducted to imitate incidents were resolved and service availability was restored, and should also inspect the incident response plan for revision because of the testing performed.

CC8.1 - The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

CC8.1.1

Control Description - Should discuss whether the Company has adopted a formal systems development life cycle (SDLC) methodology that governs the development, acquisition, implementation, and maintenance of computerized information systems and related technology requirements.

What we should test - Should inspect the systems development life cycle (SDLC) methodology to determine whether it governed the development, acquisition, implementation, and maintenance of computerized information systems and related technology requirements.

CC8.1.2

Control Description - Should discuss whether the Company's software and infrastructure change management process requires that changes requests are: authorized; formally documented; tested prior to migration to production; and reviewed and approved.

What we should test - Should inspect a selection of change requests to determine whether changes were: authorized; formally documented; tested prior to migration to production; and reviewed and approved.

CC8.1.3

Control Description - Should discuss whether formally documented change management procedures (including emergency procedures) are in place to govern the modification and maintenance of production systems and address security and availability requirements.

What we should test - Should inspect the change management procedures to determine whether procedures were in place to govern the modification and maintenance of production systems and addressed security and availability requirements.

CC8.1.4

Control Description - Should discuss whether the Company requires all changes, including maintenance activities, to be documented and tracked from initiation through deployment and validation.

What we should test - Should inspect a selection of change requests to determine whether changes were: authorized; formally documented; tested prior to migration to production; reviewed and approved; and tracked through completion.

CC8.1.5

Control Description - Should discuss whether the Company requires all changes, including maintenance activities, to be documented and tracked from initiation through deployment and validation.

What we should test - Should inspect a selection of change requests to determine whether changes were: authorized; formally documented; tested prior to migration to production; reviewed and approved; and tracked through completion. (May be grouped in with CC8.1.4 on the report)

CC8.1.6

Control Description - Should discuss whether baseline configurations are retained within the configuration manager tool for roll back capability anytime an approved configuration changes is made, and whether baseline configurations are reviewed and updated annually, when required due to reviews and system changes, and anytime integral system components are added.

What we should test - Should inspect the configuration manager tool to determine whether baseline configurations are retained and up to date for applicable system changes.

CC8.1.7

Control Description - Should discuss how the Company tests system changes prior to implementation, and whether the changes are reviewed and approved prior to implementation.

What we should test - Should inspect a selection of change requests to determine whether changes were: authorized; formally documented; tested prior to migration to production; reviewed and approved; and tracked through completion.

CC8.1.8

Control Description - Should discuss how the Company tests system changes prior to implementation, and whether the changes are reviewed and approved prior to implementation.

What we should test - Should inspect a selection of change requests to determine whether changes were: authorized; formally documented; tested prior to migration to production; reviewed and approved; and tracked through completion.

CC8.1.9

Control Description - Should discuss whether the Company maintains a documented change management and patch management process.

What we should test - Should inspect the change and patch management policies to determine whether there are documented policies and procedures.

CC8.1.10

Control Description - Should discuss whether the Company maintains a documented change management and patch management process.

What we should test - Should inspect the change and patch management policies to determine whether there are documented policies and procedures. (May be grouped in with CC8.1.9 on the report)

CC8.1.11

Control Description - Should discuss whether the Company maintains a formally documented change management process that includes changes to hardware, operating system, and system software are authorized, tested (when applicable), and approved by appropriate personnel prior to implementation.

What we should test - Should inspect the change management policy for hardware, operating system, and system software to determine whether procedures are formally documented, including procedures over authorization, testing (when applicable), and approval prior to implementation.

CC8.1.12

Control Description - Should discuss whether baseline configurations are retained within the configuration manager tool for roll back capability anytime an approved configuration changes is made, and whether baseline configurations are reviewed and updated annually, when required due to reviews and system changes, and anytime integral system components are added.

What we should test - Should inspect the configuration manager tool to determine whether baseline configurations are retained and up to date for applicable system changes.

CC8.1.13

Control Description - Should discuss whether emergency changes follow the standard change management process but at an accelerated timeline, and whether prior to initiating an emergency change, all necessary approvals are obtained and documented.

What we should test - Should inspect change documentation from system-generated list of program changes for a selection of emergency changes to determine whether the changes were approved.

CC8.1.14

Control Description - Should discuss whether formally documented change management procedures (including emergency procedures) are in place to govern the modification and maintenance of production systems and address confidentiality requirements.

What we should test - Should inspect the change management procedures to determine whether procedures were in place to govern the modification and maintenance of production systems and addressed confidentiality requirements.

CC8.1.15

Control Description - Should discuss whether formally documented change management procedures (including emergency procedures) are in place to govern the modification and maintenance of production systems and address privacy requirements.

What we should test - Should inspect the change management procedures to determine whether procedures were in place to govern the modification and maintenance of production systems and addressed privacy requirements.

CC9.1 - The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

CC9.1.1

Control Description - Should discuss whether a documented risk management program is in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks. Should also discuss whether a risk assessment is performed on at least an annual basis, and that as part of this process, threats and changes (environmental, regulatory, and technological) to service commitments, policies, and procedures are identified and the risks are formally assessed.

What we should test - Should inspect the risk management policy to determine that a program had been established around the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks. Should also inspect the most recent risk assessment to determine whether threats and changes were formally identified and assessed on an annual basis.

CC9.1.2

Control Description - Should discuss whether the risk management program includes the use of insurance to minimize the financial impact of any loss event.

What we should test - Should inspect the risk management program to determine whether the program includes cyber insurance for potential loss events.

CC9.2 - The entity assesses and manages risks associated with vendors and business partners.

CC9.2.1

Control Description - Should discuss whether the Company has formal information sharing agreements in place with related parties and vendors, and whether those agreements include the scope of services and security commitments applicable to that entity.

What we should test - Should inspect contract for a selection of new vendors added during the audit period to determine whether agreements included scope of services and security commitments.

CC9.2.2

Control Description - Should discuss whether a vendor risk assessment is performed for all vendors on an annual basis that have access to confidential data or impact the security of the system.

What we should test - Should inspect vendor risk assessment documentation for a selection of vendors to determine whether a risk assessment was performed within the past year.

CC9.2.3

Control Description - Should discuss whether management has established defined roles and responsibilities to oversee vendors and business partners.

What we should test - Should inspect security policies to determine whether the Company has established defined roles and responsibilities to oversee vendors and business partners.

CC9.2.4

Control Description - Should discuss whether the Company establishes communication protocols for vendors and business partners through agreements or other policies and procedures.

What we should test - Should inspect agreements or other policies and procedures to determine whether the Company established communication protocols for vendors and business partners.

CC9.2.5

Control Description - Should discuss whether the Company establishes exception handling procedures from vendors and business partners through agreements or other policies procedures.

What we should test - Should inspect agreements or other policies and procedures to determine whether the Company established exception handling procedures from vendors and business partners.

CC9.2.6

Control Description - Should discuss whether a vendor risk assessment is performed by management for all vendors on an annual basis.

What we should test - Should inspect vendor risk assessment documentation for a selection of vendors to determine whether a risk assessment was performed within the past year.

CC9.2.7

Control Description - Should discuss whether a vendor risk assessment is performed by management for all vendors on an annual basis and includes identifying threats to operations and determining a risk mitigation strategy.

What we should test - Should inspect vendor risk assessment documentation for a selection of vendors to determine whether a risk assessment was performed within the past year and included the significant aspects of operations.

CC9.2.8

Control Description - Should discuss whether the Company has clauses in its agreements with vendors and business partners to terminate relationships when necessary, and whether vendor and business partner access is removed upon termination through a termination checklist and access is revoked within a reasonable time (24 hours) as part of the termination process.

What we should test - Should inspect a listing of terminated vendors and compare the vendor employee listing to the active user listing to determine whether terminated vendor employees did not retain access to the in-scope system and platforms after their separation.

CC9.2.9

Control Description - Should discuss whether the Company has a confidentiality clause in its agreements with vendors and business partners that are consistent with the Company's confidentiality commitments and requirements.

What we should test - Should inspect contract for a selection of new vendors added during the audit period to determine whether agreements included a confidentiality clause.

CC9.2.10

Control Description - Should discuss whether a vendor risk assessment is performed by management for all vendors on an annual basis and includes an assessment of confidentiality commitments.

What we should test - Should inspect vendor risk assessment documentation for a selection of vendors to determine whether a risk assessment was performed within the past year and included an assessment of confidentiality commitments.

CC9.2.11

Control Description - Should discuss whether the Company has a privacy clause in its agreements with vendors and business partners that are consistent with the Company's privacy commitments and requirements.

What we should test - Should inspect contract for a selection of new vendors added during the audit period to determine whether agreements included a privacy clause.

CC9.2.12

Control Description - Should discuss whether a vendor risk assessment is performed by management for all vendors on an annual basis and includes an assessment of privacy commitments.

What we should test - Should inspect vendor risk assessment documentation for a selection of vendors to determine whether a risk assessment was performed within the past year and included an assessment of privacy commitments.

Availability

A1.1 - The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

A1.1.1

Control Description - Should discuss how the Company measures current usage on their system, and whether the Company has established a baseline for capacity management to mitigate risks of impaired availability due to capacity constraints.

What we should test - Should inspect system checks to determine current usage measurement of system capacity and whether the Company has a set baseline established.

A1.1.2

Control Description - Should discuss how the Company forecasts capacity of usage on their system, and whether the forecasting considers capacity in the event of the failure of system components that constrain capacity.

What we should test - Should inspect system checks and Company policies and procedures to determine whether the service organization has a process of forecasting capacity.

A1.1.3

Control Description - Should discuss whether the Company makes changes based on the forecasts completed of the capacity of usage on their system, and whether this process is documented in a change management policy.

What we should test - Should inspect the change management policy and system checks to determine whether the Company makes changes based on forecasts indicating usage exceeds capacity tolerances.

A1.2 - The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet it objectives.

A1.2.1

Control Description - Should discuss whether the annual risk assessment identified environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.

What we should test - Should inspect the annual risk assessment to determine whether it includes the identification of environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.

A1.2.2

Control Description - Should discuss whether the Company designs and uses detection measures that are implemented to identify anomalies that could result from environmental threat events.

What we should test - Should inspect policies and procedures and risk assessment analysis to determine whether the Company designs detection measures that are implemented to identify anomalies that could result from environmental threat events.

A1.2.3

Control Description - Should discuss whether the Company implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.

What we should test - Should inspect policies and procedures and risk assessment analysis to determine whether the Company implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.

A1.2.4

Control Description - Should discuss whether the Company implements alerts that are communicated to personnel for analysis to identify environmental threat events.

What we should test - Should inspect policies and procedures and risk assessment analysis to determine whether the Company implements alerts that are communicated to personnel for analysis to identify environmental threat events.

A1.2.5

Control Description - Should discuss how the Company responds to environmental threat events through documented policies and procedures, and also whether those policies and procedures are periodically reviewed by management.

What we should test - Should inspect the policies and procedures to determine whether they include a process of responding to environmental threat events and also if they are periodically reviewed and updated by management.

A1.2.6

Control Description - Should discuss whether the Company communicates detected environmental threat events to management and whether management reviews and acts on them in a reasonable time.

What we should test - Should inspect the policies and procedures to determine whether management has documented procedures for reviewing and acting on detected environmental threat events.

A1.2.7

Control Description - Should discuss whether management has processes and procedures for evaluating data to determine whether backup is required.

What we should test - Should inspect the policies and procedures to determine whether management has documented procedures for evaluating data to determine whether backup is required.

A1.2.8

Control Description - Should discuss whether the Company has procedures in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur.

What we should test - Should inspect the procedures for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur. Should also inspect the latest backup performed to determine whether a backup is performed regularly and also whether any failures occurred. If so, inspect a corrective action report addressing the failure.

A1.2.9

Control Description - Should discuss whether the Company stores back-up data is an off-site location to reduce the likelihood of a security or environmental threat event to an appropriate level of risk.

What we should test - Most likely our clients will keep their back-up in the cloud, whether through AWS or Azure. If this is the case, we can reference that fact and also document the SOC 2 report of AWS or Azure and what the opinion was (unqualified). If this is not the case, should inspect the system architecture to determine where the back-up is stored and whether it is off-site.

A1.2.10

Control Description - Should discuss whether the Company implements measures for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.

What we should test - Most likely our clients will operate in the cloud, whether through AWS or Azure. If this is the case, we can reference that fact and also document the SOC 2 report of AWS or Azure and what the opinion was (unqualified). If this is not the case, should inspect the system policies and procedures as well as the system architecture to determine whether the Company implements measures for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.

A1.3 - The entity tests recovery plan procedures supporting system recovery to meet its objectives.

A1.3.1

Control Description - Should discuss whether the Company has a business continuity plan and whether it is tested on a periodic basis.

What we should test - Should inspect the business continuity plan to determine whether it is tested on a periodic basis.

A1.3.2

Control Description - Should discuss how the Company tests the integrity and completeness of its back-up data, and how often.

What we should test - Most likely our clients will keep their back-up in the cloud, whether through AWS or Azure. If this is the case, we can reference that fact and also document the SOC 2 report of AWS or Azure and what the opinion was (unqualified). If this is not the case, should inspect the system policies and procedures to determine how the Company tests the integrity and completeness of its back-up data, and how often these tests are run.

Confidentiality

C1.1 - The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.

C1.1.1

Control Description - Should discuss whether the Company has documented procedures in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.

What we should test - Should inspect the policies and procedures to determine whether the Company has documented procedures in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.

C1.1.2

Control Description - Should discuss whether the Company has documented procedures in place to protect confidential information from erasure or destruction during the specified retention period of the information.

What we should test - Should inspect the policies and procedures to determine whether the Company has documented procedures in place to protect confidential information from erasure or destruction during the specified retention period of the information.

C1.2 - The entity disposes of confidential information to meet the entity's objectives related to confidentiality.

C1.2.1

Control Description - Should discuss whether the Company has documented procedures in place to identify confidential information requiring destruction when the end of the retention period is reached.

What we should test - Should inspect the policies and procedures to determine whether the Company has documented procedures in place to identify confidential information requiring destruction when the end of the retention period is reached.

C1.2.2

Control Description - Should discuss whether the Company has documented procedures in place to erase or otherwise destroy confidential information that has been identified for destruction.

What we should test - Should inspect the policies and procedures to determine whether the Company has documented procedures in place to erase or otherwise destroy confidential information that has been identified for destruction.

Processing Integrity

PI1.1 - The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

PI1.1.1

Control Description - Should discuss how the Company identifies information specifications required to support the use of products and services, and what those specifications are.

What we should test - Should inspect the policies and procedures surrounding information specifications and system metrics to determine whether the Company identifies specifications and what those specifications are.

PI1.1.2

Control Description - Should discuss whether the Company defines data necessary to support a product or service, and whether the data is made available to users of the data.

What we should test - Should inspect the policies and procedures, customer terms of service, or customer agreements, to determine whether the Company defines data and provides data to users.

PI1.1.3

Control Description - Should discuss whether the description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose that has not been included within the data.

What we should test - Should inspect the policies and procedures to determine whether the description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose that has not been included within the data.

PI1.2 - The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives.

PI1.2.1

Control Description - Should discuss how the Company defines the characteristics of processing inputs that are necessary to meet requirements.

What we should test - Should inspect the policies and procedures surrounding processing to determine whether the service organization defines the characteristics of processing inputs that are necessary to meet requirements.

PI1.2.2

Control Description - Should discuss whether the Company evaluates processing inputs for compliance with defined input requirements.

What we should test - Should inspect the policies and procedures surrounding processing to determine whether the service organization evaluates processing inputs for compliance with defined input requirements.

PI1.2.3

Control Description - Should discuss whether the Company creates and maintains records of system input activities in a timely manner

What we should test - Should inspect the policies and procedures to determine whether the Company creates and maintains records of system input activities in a timely manner, and also inspect a selection of records to determine whether they were input in a timely manner.

PI1.3 - The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives.

PI1.3.1

Control Description - Should discuss whether the Company has documented policies and procedures that define the processing specifications that are necessary to meet product or service requirements.

What we should test - Should inspect the policies and procedures to determine whether they define the processing specifications that are necessary to meet product or service requirements.

PI1.3.2

Control Description - Should discuss whether the Company has documented policies and procedures that define processing activities that result in products or services that meet specifications.

What we should test - Should inspect the policies and procedures to determine whether they define processing activities that result in products or services that meet specifications.

PI1.3.3

Control Description - Should discuss whether the Company has documented policies and procedures that outline how errors in the production process are detected and corrected in a timely manner.

What we should test - Should inspect the policies and procedures to determine whether they outline how errors in the production process are detected and corrected in a timely manner.

PI1.3.4

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether system processing activities are recorded completely and accurately in a timely manner.

What we should test - Should inspect the policies and procedures to determine whether they outline whether system processing activities are recorded completely and accurately in a timely manner.

PI1.3.5

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities.

What we should test - Should inspect the policies and procedures to determine whether they outline whether inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities.

PI1.4 - The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives.

PI1.4.1

Control Description - Should discuss whether the Company has documented policies and procedures to describe how output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications.

What we should test - Should inspect the policies and procedures to determine whether they describe how output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications.

PI1.4.2

Control Description - Should discuss whether the Company has documented policies and procedures to describe how output is distributed or made available only to intended parties.

What we should test - Should inspect the policies and procedures to determine whether they describe how output is distributed or made available only to intended parties.

PI1.4.3

Control Description - Should discuss whether the Company has documented policies and procedures in place to provide for the completeness, accuracy, and timeliness of distributed output.

What we should test - Should inspect the policies and procedures to determine whether they provide for the completeness, accuracy, and timeliness of distributed output.

PI1.4.4

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether records of system output activities are created and maintained completely and accurately in a timely manner.

What we should test - Should inspect the policies and procedures to determine whether they outline whether records of system output activities are created and maintained completely and accurately in a timely manner.

PI1.5 - The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives.

PI1.5.1

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.

What we should test - Should inspect the policies and procedures to determine whether they outline whether stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.

PI1.5.2

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether system records are archived, and whether archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.

What we should test - Should inspect the policies and procedures to determine whether they outline whether system records are archived, and whether archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.

PI1.5.3

Control Description - Should discuss whether the Company has documented policies and procedures in place to provide for the complete, accurate, and timely storage of data.

What we should test - Should inspect the policies and procedures to determine whether they provide for the complete, accurate, and timely storage of data.

PI1.5.4

Control Description - Should discuss whether the Company has documented policies and procedures that outline whether records of system storage activities are created and maintained completely and accurately in a timely manner.

What we should test - Should inspect the policies and procedures to determine whether they outline whether records of system storage activities are created and maintained completely and accurately in a timely manner.

Privacy

P1.1 - The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity's privacy practices, including changes in the use of personal information, to meet the entity's objectives related to privacy.

P1.1.1

Control Description - Should discuss how the Company provides notice to data subjects regarding the numerous items listed in ITAM.

What we should test - Should inspect the policies and procedures indicating whether the Company provides notice to the data subjects regarding the various items noted.

P1.1.2

Control Description - Should discuss whether the Company provides notice to data subjects if personal information is collected from sources other than the individual.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether it is provided to data subjects and includes notice if personal information is collected from sources other than the individual.

P1.1.3

Control Description - Should discuss whether the Company provides to data subjects and when, in relation to personal information being collected and used.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company provides notice and when, in relation to personal information being collected and used.

P1.1.4

Control Description - Should discuss whether the Company covers entities and activities in the privacy notice provided to data subjects.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether it includes an objective description of the entities and activities covered.

P1.1.5

Control Description - Should discuss whether the Company uses clear and conspicuous language in the privacy notice provided to data subjects.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company uses clear and conspicuous language.

P2.1 - The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity's objectives related to privacy. The entity's basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.

P2.1.1

Control Description - Should discuss how the Company communicates to data subjects about the choices available to them with respect to the collection, use, and disclosure of personal information, and whether implicit or explicit consent is required to collect, use, and disclose personal information.

What we should test - Should inspect the privacy notice (privacy policy) and system settings to determine whether the Company communicates to data subjects about the choices available to them with respect to the collection, use, and disclosure of personal information, and whether implicit or explicit consent is required to collect, use, and disclose personal information.

P2.1.2

Control Description - Should discuss how the Company communicates to data subjects the consequences of denying or withdrawing consent to the use of personal information.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company communicates to data subjects the consequences of denying or withdrawing consent to the use of personal information.

P2.1.3

Control Description - Should discuss whether the Company obtains implicit or explicit consent from data subjects at or before the time personal information is collected, or soon thereafter.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company obtains implicit or explicit consent from data subjects at or before the time personal information is collected, or soon thereafter.

P2.1.4

Control Description - Should discuss whether the Company documents and obtains consent for new purposes and uses, and whether the data subject is notified.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company documents and obtains consent for new purposes and uses, and whether the data subject is notified.

P2.1.5

Control Description - Should discuss whether the Company obtains explicit consent from data subjects when sensitive personal information is collected, used, or disclosed.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company obtains explicit consent from data subjects when sensitive personal information is collected, used, or disclosed.

P2.1.6

Control Description - Should discuss whether the Company obtains consent before personal information is transferred to or from an individual's computer or other similar device.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company obtains consent before personal information is transferred to or from an individual's computer or other similar device.

P3.1 - Personal information is collected consistent with the entity's objectives related to privacy.

P3.1.1

Control Description - Should discuss whether the collection of personal information is limited to that necessary to meet the entity's objectives.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the policy indicates whether the collection of personal information is limited to that necessary to meet the entity's objectives.

P3.1.2

Control Description - Should discuss whether the Company uses fair and lawful means when collecting personal information from data subjects, and also that these methods of collection are reviewed by management.

What we should test - Should inspect the policies and procedures regarding privacy and the privacy notice (privacy policy) to determine whether management has reviewed the methods of collection, and also to determine whether the collection methods are fair and lawful.

P3.1.3

Control Description - Should discuss whether the Company collects personal information from sources other than the individual, and if so, those sources are reliable sources that collect information fairly and lawfully.

What we should test - Should inspect the policies and procedures regarding privacy and the privacy notice (privacy policy) to determine whether the Company collects personal information from sources other than the individual, and if so, those sources are reliable sources that collect information fairly and lawfully.

P3.1.4

Control Description - Should discuss whether the Company informs all data subjects if the Company develops or acquires additional information about them for its use.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company informs all data subjects if the Company develops or acquires additional information about them for its use.

P3.2 - For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information and obtains the consent prior to the collection of the information to meet the entity's objectives related to privacy.

P3.2.1

Control Description - Should discuss whether the Company obtains explicit consent from the data subject when sensitive personal information is collected, used, or disclosed.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company obtains explicit consent from the data subject when sensitive personal information is collected, used, or disclosed.

P3.2.2

Control Description - Should discuss whether the Company documents explicit consent for the collection, use, or disclosure of sensitive personal information and retains it in accordance with objectives related to privacy.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company documents explicit consent to retain information.

P4.1 - The entity limits the use of personal information to the purposes identified in the entity's objectives related to privacy.

P4.1.1

Control Description - Should discuss whether the Company limits the use of personal information for the intended purposes only.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company limits the use of personal information for the intended purposes only.

P4.2 - The entity retains personal information consistent with the entity's objectives related to privacy.

P4.2.1

Control Description - Should discuss whether the Company retains personal information for no longer than necessary to fulfill the stated purposes.

What we should test - Should inspect the privacy notice (privacy policy) to determine whether the Company retains personal information for no longer than necessary to fulfill the stated purposes.

P4.2.2

Control Description - Should discuss whether the Company has documented policies and procedures that outline how personal information is protected from erasure or destruction during the specified retention period of the information.

What we should test - Should inspect policies and procedures to determine whether they outline how personal information is protected from erasure or destruction during the specified retention period of the information.

P4.3 - The entity securely disposes of personal information to meet the entity's objectives related to privacy.

P4.3.1

Control Description - Should discuss whether requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity's objectives related to privacy.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether requests for deletion of personal information are captured, and whether information related to the requests is identified and flagged for destruction to meet the entity's objectives related to privacy.

P4.3.2

Control Description - Should discuss whether personal information that is no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether personal information that is no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.

P4.3.3

Control Description - Should discuss whether the Company has documented policies and procedures in place to erase or otherwise destroy personal information that has been identified for destruction.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether they outline the erasure or other destruction of personal information that has been identified for destruction.

P5.1 - The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity's objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity's objectives related to privacy.

P5.1.1

Control Description - Should discuss whether the Company authenticates the identity of data subjects who request access to their personal information before they are given access to that information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company authenticates the identity of data subjects who request access to their personal information before they are given access to that information.

P5.1.2

Control Description - Should discuss whether the Company maintains personal information and permits data subjects access to their personal information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company maintains personal information and permits data subjects access to their personal information.

P5.1.3

Control Description - Should discuss whether the Company provides personal information to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company provides personal information to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost.

P5.1.4

Control Description - Should discuss whether the Company informs data subjects in a timely manner if access is denied to their personal information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company informs data subjects in a timely manner if access is denied to their personal information.

P5.2 - The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity's objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity's objectives related to privacy.

P5.2.1

Control Description - Should discuss whether the Company informs data subjects, in writing, of the reason a request for access to their personal information was denied, the source of the entity's legal right to deny such access, and the individual's right to challenge such denial.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company informs data subjects, in writing, of the reason a request for access to their personal information was denied, the source of the entity's legal right to deny such access, and the individual's right to challenge such denial.

P5.2.2

Control Description - Should discuss whether the Company permits data subjects to update or correct personal information held by the entity, and whether the Company provides updated or corrected information to third parties that were previously provided with the data subject's personal information consistent with the Company's objective related to privacy.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company permits data subjects to update or correct personal information held by the entity, and whether the Company provides updated or corrected information to third parties that were previously provided with the data subject's personal information consistent with the Company's objective related to privacy.

P5.2.3

Control Description - Should discuss whether the Company informs data subjects, in writing, of the reason a request for correction of personal information was denied and how they may appeal.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company informs data subjects, in writing, of the reason a request for correction of personal information was denied and how they may appeal.

P6.1 - The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity's objectives related to privacy.

P6.1.1

Control Description - Should discuss whether the Company communicates privacy policies or other specific instructions or requirements for handling personal information to third parties.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company communicates privacy policies or other specific instructions or requirements for handling personal information to third parties.

P6.1.2

Control Description - Should discuss whether the Company discloses personal information to third parties only for the purposes for which it was collected or created, and only when implicit or explicit consent has been obtained from the data subject.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company discloses personal information to third parties only for the purposes for which it was collected or created, and only when implicit or explicit consent has been obtained from the data subject.

P6.1.3

Control Description - Should discuss whether the Company discloses personal information to third parties who have agreements with the Company to protect personal information in a manner consistent with the relevant aspects of the Company's privacy notice.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company discloses personal information to third parties who have agreements with the Company to protect personal information in a manner consistent with the relevant aspects of the Company's privacy notice.

P6.1.4

Control Description - Should discuss whether the Company discloses personal information to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company discloses personal information to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects.

P6.2 - The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity's objectives related to privacy.

P6.2.1

Control Description - Should discuss whether the Company creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.

P6.3 - The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy.

P6.3.1

Control Description - Should discuss whether the Company creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.

P6.4 - The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity's objectives related to privacy. The entity assesses those parties' compliance on a periodic and as-needed basis and takes corrective action, if necessary.

P6.4.1

Control Description - Should discuss whether the Company discloses personal information to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity's privacy notice.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company discloses personal information to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity's privacy notice.

P6.4.2

Control Description - Should discuss whether the Company takes remedial action in response to misuse of personal information by a third party to whom they transferred information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company takes remedial action in response to misuse of personal information by a third party to whom they transferred information.

P6.5 - The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity's objectives related to privacy.

P6.5.1

Control Description - Should discuss whether the Company takes remedial action in response to misuse of personal information by a third party to whom the Company transferred such information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company takes remedial action in response to misuse of personal information by a third party to whom the Company transferred such information.

P6.5.2

Control Description - Should discuss whether the Company has a process for obtaining commitments from vendors and other third parties to report to the Company actual or suspected unauthorized disclosures of personal information.

What we should test - Should inspect the policies and procedures to determine whether the Company has a process for obtaining commitments from vendors and other third parties to report to the Company actual or suspected unauthorized disclosures of personal information.

P6.6 - The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy.

P6.6.1

Control Description - Should discuss whether the Company takes remedial action in response to misuse of personal information by a third party to whom the Company transferred information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company takes remedial action in response to misuse of personal information by a third party to whom the Company transferred information.

P6.6.2

Control Description - Should discuss whether the Company has a process for providing notice of breaches and incidents to affected data subjects, regulators, and other to meet the Company's objectives related to privacy.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company has a process for providing notice of breaches and incidents to affected data subjects, regulators, and other to meet the Company's objectives related to privacy.

P6.7 - The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects' personal information, upon the data subjects' request, to meet the entity's objectives related to privacy.

P6.7.1

Control Description - Should discuss whether the Company identifies the types of personal information and sensitive personal information and the handling process of such information.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company identifies the types of personal information and sensitive personal information and the handling process of such information.

P6.7.2

Control Description - Should discuss whether the Company captures, identifies, and communicates requests for an accounting of personal information held to data subjects to meet the Company's objectives related to privacy.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company captures, identifies, and communicates requests for an accounting of personal information held to data subjects to meet the Company's objectives related to privacy.

P7.1 - The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy.

P7.1.1

Control Description - Should discuss whether the Company ensures personal information is accurate and complete for the purposes for which it is to be used.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company ensures personal information is accurate and complete for the purposes for which it is to be used.

P7.1.2

Control Description - Should discuss whether the Company ensures personal information is relevant to the purposes for which it is to be used.

What we should test - Should inspect the policies and procedures regarding privacy to determine whether the Company ensures personal information is relevant to the purposes for which it is to be used.

P8.1 - The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.

P8.1.1

Control Description - Should discuss whether the Company informs data subjects about how to contact the Company with inquiries, complaints, and disputes.

What we should test - Should inspect the policies and procedures and/or Company website to determine whether contact information is included that is communicated to data subjects.

P8.1.2

Control Description - Should discuss whether the Company has a process in place to address inquiries, complaints, and disputes.

What we should test - Should inspect the policies and procedures to determine whether the Company has a process in place to address inquiries, complaints, and disputes.

P8.1.3

Control Description - Should discuss whether the Company addresses each complaint, documents the resolution, and communicates these to the individual.

What we should test - Should inspect the policies and procedures to determine whether the Company addresses each complaint, documents the resolution, and communicates these to the individual.

P8.1.4

Control Description - Should discuss whether the Company documents and reports its compliance review results, and whether remediation plans are developed and implemented for any problems identified.

What we should test - Should inspect the policies and procedures to determine whether the Company documents and reports its compliance review results, and whether remediation plans are developed and implemented for any problems identified.

P8.1.5

Control Description - Should discuss whether the Company documents and reports all instances of noncompliance with objectives related to privacy, and whether corrective and disciplinary measures are taken on a timely basis.

What we should test - Should inspect the policies and procedures to determine whether the Company documents and reports all instances of noncompliance with objectives related to privacy, and whether corrective and disciplinary measures are taken on a timely basis.

P8.1.6

Control Description - Should discuss whether the Company performs ongoing procedures for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.

What we should test - Should inspect the policies and procedures to determine whether the Company performs ongoing procedures for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.