Last updated: July 2025

SOC 2 Compliance: Corporate Governance & Human Resources Workflow

Purpose: To establish a robust framework for corporate governance and human resource management that supports the firm’s SOC 2 compliance, ensuring security, availability, processing integrity, confidentiality, and privacy through effective people-related controls.

1️⃣ Establish Governance Framework

☐ Define organizational structure and reporting lines.

☐ Document roles, responsibilities, and authorities.

☐ Establish a board or oversight body that demonstrates independence from management.

☐ Ensure the board exercises oversight of internal control development and performance.

2️⃣ Develop and Maintain Policies & Procedures

Information Security Policy:

☐ Create, review, and approve an Information Security Policy.

☐ Ensure it addresses control activities for mitigating risks to acceptable levels (CC5.1).

☐ Include general control activities over technology (CC5.2).

☐ Detail how policies establish expectations and procedures put them into action (CC5.3).

☐ Periodically review and update the Information Security Policy.

Code of Conduct:

☐ Develop and implement a Code of Conduct demonstrating commitment to integrity and ethical values (CC1.1).

☐ Ensure new employees acknowledge and sign the Code of Conduct.

☐ Periodically review and approve the Code of Conduct.

Human Resources Policy:

☐ Establish an HR Policy outlining structures, reporting lines, authorities, and responsibilities (CC1.3).

☐ Address the commitment to attract, develop, and retain competent individuals (CC1.4).

☐ Detail how individuals are held accountable for internal control responsibilities (CC1.5).

☐ Document job descriptions for all employees.

☐ Outline processes for employee performance evaluations.

☐ Define procedures for background checks for new hires.

☐ Establish a process for handling identified or reported employee violations and investigative reports.

☐ Ensure new employees sign confidentiality agreements.

Communications Policy:

☐ Develop a Communications Policy for external parties regarding internal control matters (CC2.3).

☐ Ensure signed service agreements are in place with customers and third-party service providers.

3️⃣ Implement Internal Controls

☐ Implement controls as described in the Information Security Policy and maintain records of design and operation.

☐ Maintain an up-to-date organizational chart.

☐ Ensure integration between HR systems and SSO systems (if applicable).

☐ Conduct employee performance evaluations (e.g., quarterly).

☐ Perform background checks for all new hires.

☐ Investigate and report on employee violations.

☐ Obtain signed confidentiality agreements from new employees.

☐ Maintain lists of customers and third-party service providers with signed agreements.

4️⃣ Gather Evidence for SOC 2 Examination

☐ Maintain Information Security Policies reviewed and approved.

☐ Maintain Company Information Security Policies reviewed and approved.

☐ Maintain Internal Audit Reports.

☐ Maintain reviewed and approved Code of Conduct documents.

☐ Keep records of new employees and completeness checks.

☐ Maintain Code of Conduct Acknowledgement Forms for new hires.

☐ Ensure policy storage is documented and accessible.

☐ Maintain Organizational Chart and system integration documentation.

☐ Maintain list of existing employees and completeness checks.

☐ Keep documented job descriptions.

☐ Keep records of Employee Performance Evaluations (Q1, Q2, Q3, Q4).

☐ Keep records of Completed Background Check Results.

☐ Maintain population lists of identified or reported employee violations and investigative reports.

☐ Maintain signed confidentiality agreements.

☐ Maintain populations of customers and third-party service providers with completeness checks.

☐ Keep evidence of signed service agreements with customers and third parties.

☐ Maintain Contractor Service Agreements if applicable.

5️⃣ Conduct SOC 2 Examination

☐ Perform detailed test procedures for each control activity.

☐ Document test procedure details and work paper references.

☐ Determine if each control is Effective or Ineffective.

☐ Document details of any findings and observations.

6️⃣ Ongoing Compliance & Monitoring

☐ Continuously monitor the effectiveness of internal controls.

☐ Address any findings and observations from SOC 2 examinations.

☐ Review and update policies and procedures periodically.

☐ Ensure ongoing adherence to all established policies and procedures.