Is a Board of Directors (BoD) required for SOC 2?
The SOC 2 COSO Principle 2 addresses the roles and expectations of the BoD to provide oversight of internal controls. BoD is usually prominent in large enterprises, however, for startups and less mature organizations, this is not always the case.
Why the need for a BoD?
A BoD ‘s role in an organization is to oversee management and provide strategic direction of the organization. The BoD is usually comprised on internal executives’ members and external members. The external members should be the majority, and this is important because an independent majority will bring the best interests of the share owners first.
Who needs a BoD?
In general, the requirement for a BoD is reserved for public companies. Every publicly listed company, C corporations, S corporations companies and non-for-profits are legally required to have a BoD. The exceptions are the Limited Liabilities Companies (LLC) and sole proprietorships, these do not require a BoD.
SOC 2 has become the popular contractual compliance with businesses to demonstrate their security posture and SOC 2 does have a criterion that requires organizations to have an independent BoD body in place to provide adequate oversight to the organization. As a result, any businesses and/or Service organizations companies looking to comply with SOC 2, must address the requirement for a BoD.
To meet the SOC 2 requirement, the existence of a BoD is the easiest way to go, however, for a smaller and/or less mature company, there are alternatives to a BoD.
What are the alternatives to a BoD?
According to the AICPA, the proper alternative would have to be: “Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.”
The AICPA guidance expands on the requirements and provides a wiggle room for smaller companies to play in. The AICPA guidance allows small companies to set independent committees or group to act as an oversight committee. It is important to note that to be considered an effective alternative, the function and oversight responsibilities of the group should be formally documented in a charter document.
This is good news, smaller companies may just need to demonstrate to their auditors that a senior management team, executive council or committee is in place instead of a BoD to provide oversight to the organization. The senior management team and executive council or committee will need to operate in a way that demonstrate effective oversight such as frequent meetings during which the organization’s performance and strategic goals are discussed.
The answer is yes, you do need to meet the BoD criteria requirement for SOC 2, however, based on the nature of the organization, alternatives to a BoD such as an IT steering committee, or executive leadership group can be used to demonstrate compliance with the requirement.
Join the conversation