cc31.md

SOC2 - CC3.1

COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives

Operations Objectives: Reflects Management's Choices

Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity

Considers Tolerances for Risk

Management considers the acceptable levels of variation relative to the achievement of operations objectives

External Financial Reporting Objectives: Complies With Applicable Accounting Standards

Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.

External Nonfinancial Reporting Objectives: Complies With Externally Established Frameworks

Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations

Reflects Entity Activities

External reporting reflects the underlying transactions and events within a range of acceptable limits. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.

Internal Reporting Objectives: Reflects Management's Choices

Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity. Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.. Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.

Compliance Objectives: Reflects External Laws and Regulations

Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives

Considers Tolerances for Risk

Management considers the acceptable levels of variation relative to the achievement of operations objectives. Additional point of focus specifically related to all engagements using the trust services criteria: Establishes Sub-objectives to Support Objectives—Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance..

Mapped SCF controls

• PRM-01 - Cybersecurity & Data Privacy Portfolio Management
• PRM-04 - Cybersecurity & Data Privacy In Project Management
• PRM-06 - Business Process Definition
• RSK-01 - Risk Management Program
• RSK-09 - Supply Chain Risk Management (SCRM) Plan
• SEA-02 - Alignment With Enterprise Architecture