COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities
Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives
Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective
The method of communication considers the timing, audience, and nature of the information
Additional point of focus specifically related to all engagements using the trust services criteria: Communicates Responsibilities
Entity personnel with responsibility for designing, developing, implementing,operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel.
The entity communicates its objectives and changes to those objectives to personnel in a timely manner
The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries
The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation
The entity communicates its objectives to personnel to enable them to carry out their responsibilities
System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner.
- CPL-01 - Statutory, Regulatory & Contractual Compliance
- CPL-02 - Cybersecurity & Data Protection Controls Oversight
- GOV-05 - Measures of Performance
- GOV-05.1 - Key Performance Indicators (KPIs)
- GOV-05.2 - Key Risk Indicators (KRIs)
- HRS-03 - Roles & Responsibilities
- OPS-01 - Operations Security
- OPS-01.1 - Standardized Operating Procedures (SOP)
- PRM-01 - Cybersecurity & Data Privacy Portfolio Management
- PRM-05 - Cybersecurity & Data Privacy Requirements Definition
- SEA-01 - Secure Engineering Principles
- SEA-02.1 - Standardized Terminology