Many employers incorporate background checks into their SOC 2 compliance program. Simply stated, screening your employees for relevant conviction history is an effective way to demonstrate that you meet certain control objectives. However, designing your background check policy to meet a specific security objective like SOC 2 may introduce unintended consequences and interfere with other company objectives including fair chance hiring.
So, how can organizations use background checks for SOC 2 compliance and still be fair chance employers?
First, understand what is actually required to meet your control objectives. SOC attestations pivot off of the COSO controls. However, these are principles-based and not nearly as rigid as many organizations may think. In many areas, you get to choose your own controls to meet the identified objectives.
For example: COSO Principle 16 (This is where background checks come into play):
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Note that the attestation standard doesn’t mandate background screening—and more importantly, it doesn't mandate any specific program or policy. This leaves plenty of room for organizations to demonstrate security controls through background checks, but do so as fair chance employers.
Job relevant screening and SOC 2
For some, this may be the first time you are screening employees. So before creating a policy that applies to all employees, keep in mind all the great work they do. Would the existence of a criminal record change that? Remember, fair chance employers commit to minimizing unnecessary exclusions.
One way to minimize exclusions is to create job specific screening guidelines. Both the types of information you screen for (background check packages) and your evaluation process can be tailored based on the individual’s level of system access. It’s pretty uncommon for all of an organization’s employees to have the same job duties or equivalent access to facilities and critical information (If you’re not sure, take a look at your organization’s RBAC systems). This is a common way to maintain more flexibility in your hiring process while maintaining your commitment to your SOC 2 controls.
But implementing a job relevant background check program is just the first step. To achieve combined SOC 2 & fair chance hiring objectives, organizations need to think about maintaining the program over time.
Demonstrating SOC 2 compliance
There are two types of SOC 2 audits. Type 1 audits are a “snapshot in time”. Here, your auditor is simply examining whether you have reasonable controls in place to potentially meet your objectives. For example: you have a background screening policy in place.
Type 2 audits examine evidence and effectiveness of your controls over time (commonly six months). With fair chance background checks as your chosen control, auditors will primarily be looking for (1) proof that you are in fact running background checks; and (2) proof that your job relevant program is being applied consistently.
For example: Within your fair chance hiring program, you have isolated certain types of offenses that are job relevant, e.g., Identity Theft for individuals with access to sensitive PII. But not all roles in your organization pose that same risk and you are minimizing exclusions. Can you effectively demonstrate to your auditor that you are maintaining your policy?
This is where Checkr’s products are designed to support your SOC 2 compliance needs. With tools like Assess and Insights you can consistently evaluate criminal records based on your policy, and align your review procedures with fair chance best practice. Tools like Candidate Stories allow you to request further information on a candidate's record. With these tools in place, you can demonstrate that you have appropriate security controls, but are also doing so as a fair chance employer.
To learn about fair chance hiring, find more resources here.