Auditing CC5.

0: A Guide to Evaluating Control Activities in SOC 2

Auditing CC5.0, a core criterion within the SOC 2 (System and

Organization Controls 2) framework's Common Criteria (CC-series),
involves a thorough examination of an organization's processes for
selecting, developing, and deploying control activities designed to
mitigate risks and achieve its objectives.1 This criterion is fundamental to
demonstrating a robust control environment. An effective audit of CC5.0
provides assurance that an entity has not only identified necessary
controls but is also actively using them to manage threats to its systems
and data.

The CC5.0 series is broken down into three key points of focus:

 CC5.1: The entity selects and develops control activities that

contribute to the mitigation of risks to the achievement of objectives
to acceptable levels.23 This focuses on how the organization
identifies and chooses specific controls in response to its risk
assessment.4

 CC5.2: The entity selects and develops general control activities

over technology to support the achievement of objectives. 56 This
addresses controls over the technology infrastructure, security
management, and technology acquisition, development, and
maintenance.

 CC5.3:7 The entity deploys control activities through policies that

establish what is expected and procedures that put policies into
action. This emphasizes the operationalization of controls, ensuring
they are documented and implemented effectively.

Auditing these components requires a structured approach:

1. Understanding the Scope and Context:

Before diving into testing, an auditor must:

 Understand the Organization's Objectives and Risk Assessment

Process (linking to CC3.0): CC5.0 is intrinsically linked to risk
assessment (CC3.0). Auditors need to understand the organization's
identified risks to evaluate if the selected control activities are
appropriate and sufficient to mitigate those risks.

 Identify In-Scope Systems and Services: Determine which systems,

services, and processes are covered by the SOC 2 audit, as this will
define the boundaries for evaluating control activities. 8

 Review Relevant Documentation: This includes risk assessment

reports, control frameworks adopted by the organization (e.g.,
 COBIT, NIST), policies and procedures related to control activities,
system architecture diagrams, and previous audit reports.

2. Evaluating the Design of Control Activities (CC5.1 & CC5.2):

This phase assesses whether the controls, as designed, are capable of

effectively preventing or detecting and correcting material misstatements
or deviations from control objectives. Key audit procedures include:

 Inquiries with Management and Personnel: Discuss with

management their process for selecting and developing control
activities. Understand how they consider entity-specific factors, the
mix of control types (preventive, detective, manual, automated),
and the levels at which controls are applied.

 Review of Control Design Documentation: Examine documented

control procedures, system configurations, and other evidence that
outlines how controls are intended to operate.

 Walkthroughs: Trace one or more transactions or processes through

the system to observe the designed controls in action and confirm
understanding.9 For example, for CC5.2, this might involve walking
through the process for granting new user access to a critical
system to understand the technology controls in place.

 Assessing Alignment with Risk Mitigation: Evaluate whether the

selected control activities directly address identified risks. For
instance, if a risk of unauthorized data access is identified, auditors
will look for control activities like access control lists, multi-factor
authentication, and regular access reviews.

 Evaluating General Technology Controls (CC5.2): This involves

assessing controls over areas like:

o Infrastructure: Controls over networks, operating systems, and

databases.

o Security Management: Controls for preventing and detecting

security incidents, managing vulnerabilities, and responding
to threats.10

o Technology Acquisition, Development, and Maintenance:

Controls over how new technology is introduced, systems are
developed, and changes are managed (linking to CC8.0 -
Change Management).11

3. Testing the Operating Effectiveness of Control Activities

(CC5.3):
This phase determines if the controls are consistently applied as designed
over the audit period (for a Type 2 SOC 2 report). Audit procedures
include:

 Observation: Observe personnel performing control activities to

assess whether they are being carried out as documented. 12

 Inspection of Evidence: Examine records, logs, reports, and other

tangible evidence demonstrating that controls have operated. For
example, reviewing user access review logs, change management
tickets, or incident response reports.

 Re-performance: Independently re-perform control activities to

verify they achieve the intended result. For instance, attempting to
access a system with unauthorized credentials to test access
controls.

 Testing of Policies and Procedures (CC5.3):

o Verify that policies related to control activities are formally

documented, approved, and communicated to relevant
personnel.

o Confirm that procedures exist to implement these policies.

o Assess whether responsibility and accountability for executing

policies and procedures are clearly defined.

o Check if control activities are performed in a timely manner by

competent personnel.

o Evaluate the process for investigating and acting on matters

identified as a result of performing control activities (remedial
actions).

 Sampling: Select a sample of transactions or instances of control

operation to test. The size and nature of the sample will depend on
the frequency of the control, its criticality, and other factors.

4. Evaluating and Reporting Findings:

Based on the evidence gathered, the auditor will:

 Assess Deficiencies: Identify any instances where controls are not

designed or operating effectively. These deficiencies will be
evaluated for their potential impact.

 Form an Opinion: Conclude on the fairness of the description of the

service organization's system and the suitability of the design and
 operating effectiveness of the controls (for a13 Type 2 report) related
to CC5.0.

 Report: Document the audit procedures performed, the findings, and

the auditor's opinion in the SOC 2 report.14

Key Considerations for Auditing CC5.0:

 Integration with Other Common Criteria: CC5.0 does not exist in

isolation. It is closely related to CC1 (Control Environment), CC2
(Communication and Information), CC3 (Risk Assessment), and CC4
(Monitoring Activities), as well as more specific criteria like CC6
(Logical and Physical Access Controls), CC7 (System Operations),
and CC8 (Change Management).15 Auditors will consider these
interdependencies.

 Preventive vs. Detective Controls: Evaluate the mix of controls.

Preventive controls aim to stop errors or irregularities from
occurring, while detective controls are designed to find them after
they have occurred.16

 Automated vs. Manual Controls: Assess the reliability of both

automated system controls and manual controls performed by
personnel. Automated controls often require testing of IT General
Controls (ITGCs).

 Segregation of Duties: Determine if incompatible duties (e.g.,

initiating and approving a transaction) are appropriately segregated
or if alternative control activities are in place where segregation is
not feasible.17

 Continuous Monitoring: While CC4.0 specifically addresses

monitoring, the effectiveness of CC5.0 controls often relies on
ongoing monitoring to ensure they remain relevant and functional.

By following a systematic audit approach that thoroughly examines the

design and operating effectiveness of control activities as outlined in
CC5.1, CC5.2, and CC5.3, auditors can provide valuable assurance on an
organization's ability to mitigate risks and achieve its objectives.