cc23.md

SOC2 - CC2.3

COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control

Communicates to External Parties

Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties

Enables Inbound Communications

Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information

Communicates With the Board of Directors

Relevant information resulting from assessments conducted by external parties is communicated to the board of directors

Provides Separate Communication Lines

Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective

Selects Relevant Method of Communication

The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations

Communicates Objectives Related to Confidentiality and Changes to Objectives

The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality

Additional point of focus that applies only to an engagement using the trust services criteria for privacy: Communicates Objectives Related to Privacy and Changes to Objectives

The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives

Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries

The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation

Communicates System Objectives

The entity communicates its system objectives to appropriate external users

Communicates System Responsibilities

External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities

Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters

External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel.

Mapped SCF controls

• CPL-01 - Statutory, Regulatory & Contractual Compliance
• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• GOV-06 - Contacts With Authorities
• IRO-10 - Incident Stakeholder Reporting
• IRO-14 - Regulatory & Law Enforcement Contacts
• PRI-14 - Data Privacy Records & Reporting