The SOC 2 Risk Assessment Criteria: Through the Eyes of an Auditor

A risk assessment should be considered a non-negotiable practice for any successful company for a host of reasons:

• Protection of physical and digital assets
• Legal and Regulatory Compliance
• Business Continuity
• Financial Stability and Cost Savings
• Improved decision making

The risk assessment also happens to be one of the common criteria tested within the SOC 2 report. However, we often find that organizations that value risk assessments as a business practice, as opposed to a performative compliance exercise, meet the SOC 2 criteria without much additional effort.

As an auditor, I frequently observe that risk assessments become a hollow, “check-the-box” exercise when they are driven solely by Compliance mandates rather than a genuine commitment from the top. When leadership views the process as a bureaucratic hurdle rather than a strategic necessity, the resulting assessment is inevitably flawed and lacks thoroughness. If there is no leadership buy-in, the process often fails to gather input from all the right stakeholders and subject matter experts, leading to a narrow scope that might cover only a specific subset of risks. This imbalance of expert involvement often results in mis-ranked risks and misaligned mitigations.

When building the risk assessment and risk management process, the SOC 2 criteria can be a guide or a foundation, as it starts with identifying business objectives and includes the entire organization. After reading the following sections, you’ll learn the SOC 2 criteria that are directly related to the risk assessment and risk management processes, an auditor’s interpretation of the spirit of each of these criteria, and a few helpful techniques to improve the organization’s risk assessment and risk management processes to include the requirements from a SOC 2 control testing perspective.

 

CC3.0: Risk Assessment Process

There are four criteria within CC3.0: Risk Assessment of the SOC 2 report. Each criterion, also known as COSO Principles, describes specific aspects of the risk assessment and risk management processes (included below, from COSO.org).

• “CC3.1 (COSO Principle 6): The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”

• “CC3.2 (COSO Principle 7): The entity identifies risk to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

• “CC3.3 (COSO Principle 8): The entity considers the potential for fraud in assessing risks to the achievement of objectives.”

• “CC3.4 (COSO Principle 9): The entity identifies and assesses changes that could significantly impact the system of internal control”.

CC3.1 (COSO Principle 6)

Take a step back and examine the organization’s risk assessment and management processes, and ask: why is the organization conducting a risk assessment in the first place? Is it to identify only IT risks? Is it to mitigate risks to an acceptable level? Not necessarily. Those are only components of a risk assessment. The main purpose of conducting a risk assessment is to identify strategic, operational, technical, and financial risks. If exploited, it could result in not achieving 1 or many of the business objectives or commitments made to customers. At the beginning of the risk assessment process, ask the following questions:

• What are the organization’s business objectives?
• Are these objectives formally documented?
• Are the risks identified within the risk assessment cascaded from the organization’s objectives?

A SOC 2 report is often misinterpreted as solely focused on IT security. This was the case in a recent audit, and the risk assessment was performed and documented solely by the IT department. Technical risks and vulnerabilities were the only risks identified because the business objectives as a whole were not identified. I felt this pitfall could have been avoided if the entity had included leadership, finance, and HR in the process.

CC3.2 (COSO Principle 7)

This criterion speaks directly to performing a risk assessment that includes the identification of risks to the achievement of the organization’s objectives and commitments made to the customers. CC3.2 also speaks to how the entity determines how it will manage each identified risk to an acceptable level by categorizing, evaluating, and creating risk mitigation strategies for each risk identified in the risk assessment. Make sure the risk identification and assessment processes include the following:

• Documentation of the process, procedures, and framework (ISO/IEC 27001:2022, NIST-800) followed during the risk assessment.
• Categorization of risks.
• Risks are rated using an evaluation scale (Likelihood x Impact).

In our experience, merely documenting the risks, their rankings, and the mitigation measures in a spreadsheet misses the mark. Clearly documenting the rationale and strategy the organization should use in identifying and ranking the risks puts each contributor on the same page and results in a better overall assessment.

CC3.3 (COSO Principle 8)

Fraud should be a major consideration in an organization’s risk assessment and management processes. An analysis of the fraud risks and schemes that may impact achieving the organization’s objectives and commitments to customers should be included within the risk assessment. And always remember the Fraud Triangle: Motive/Pressure, Opportunity, and Rationalization.

Glass half-fullers may not naturally consider fraud risk, so specifically adding it to the procedures and reminding contributors to consider fraud risk will help meet this criteria. We often look to see that risk assessment meetings occur on a regular basis, that the appropriate departments and levels of expertise are attending, and that discussions of changes are a part of the risk assessment meeting agenda.

CC3.4 (COSO Principle 9)

During my professional career, many organizations have struggled to understand the meaning of this criterion. Organizations that fail to monitor and assess risks to changes within their organization could be more vulnerable to data loss or breaches. An organization may not have had any major terminations, changes to leadership, or business mergers, but typically, in the time between risk assessment reviews, an organization goes through some type of change.

Here are a few examples of changes that organizations may have experienced that, if not monitored and assessed, could negatively impact an organization:

• Current technology/adoption of new technology
• Changes to leadership
• Laws and regulations
• Third-party vendors or business partners

Organizations that revisit the risk assessment on a periodic, scheduled basis with the mindset to update the risk assessment based on changes in the organization often have this criteria covered. One client has identifying changes to the risk assessment as a part of the change management process, so when a change is reviewed, the question is addressed: “Does this change, add, or remove any risks in the risk assessment?” This proactive approach keeps their risk assessment relevant.

 

CC5.0: Control Activities

Next, there are two criteria within CC5.0 that are directly related to the risk assessment, more specifically, risk mitigation.

1. CC5.1 (COSO Principle 10): The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
2. CC5.2 (COSO Principle 11): The entity also selects and develops general control activities over technology to support the achievement of objectives.

Once the risks to an organization achieving its business objectives have been identified and evaluated, risk mitigation strategies and plans should be created for each risk. Risk mitigation strategies can include processes, controls, and timeframes to mitigate each risk to an acceptable level. Consider the following:

• Were risks from previous risk assessment(s) included in the most recent version and reviewed?
• Does each risk have a risk owner?
• What mitigation strategy (Acceptance, Transfer, Avoidance, Mitigate) was determined?
• Were processes and controls in place to mitigate the risk to an acceptable level?
• What is the remediation timeframe for each risk?

 

CC9.0: Risk Mitigation/Business Disruption

Lastly, there is one criterion in CC9.0 that describes the relationship between the risk assessment and business disruptions.

1. CC9.1 (COSO Principle 12 supplement 9.1): The entity identifies, selects, and develops risk mitigation activities for risk arising from potential business disruptions.

An organization should include an evaluation of risks related to disruptions in business processes and develop risk mitigation strategies for each identified risk. Risk mitigation activities can include:

• Developing policies, procedures, and communications.
• Selecting an alternate processing site.
• Monitoring information and communications during response, mitigation, and recovery efforts to meet the organization’s objectives.
• Implementation of cybersecurity insurance to offset the risk of financial loss.
• Development and testing of Business Continuity and Disaster Recovery Plan (BCDR).

Similar to considering changes in the organization and their impacts on the risk assessment,  changes to the organization within the BCDR are key to mitigating risk during business disruptions. We often look to see that BCDR tests or tabletop meetings occur on a scheduled basis, that the appropriate departments and levels of expertise are attending, and that discussions of changes are a part of the BCDR meeting agenda. If a BCDR has not been updated or reviewed recently, it often indicates that changes have not been factored into the plan or that a thorough test of the plan has not been performed.

Common Questions About SOC 2 & Risk Assessments

These are some of the more common questions asked by clients when it comes to SOC 2 and risk assessments.

Is SOC 2 a Risk Assessment?

A SOC 2 is not a risk assessment itself, but it requires you to perform a risk assessment to be compliant. During SOC 2 preparation, organizations must perform a risk assessment to justify why the organization chose certain security controls.

What Are the 5 Trust Services Criteria for a SOC 2?

Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy

How Do Auditors Evaluate Whether a CC3 Risk Assessment Is Sufficient?

Auditors look at the documented risk assessment to verify that risks have been assigned a likelihood and impact score, include fraud risks, and have been reviewed or updated within the period. Sufficiency can be evaluated by looking at the content of the risks and by looking at the contributors and owners. If a risk assessment has risks with only one owner or contributor, it is most likely not sufficient.

What Evidence Fails CC3.4 Most Often?

Risk assessments that fail CC3.4 fail most often because they do not include the right people in the assessments. For example, a compliance manager who completes a risk assessment without including the relevant personnel who know and understand what changes occurred in the organization.

 

Building a Risk Assessment Auditors’ Trust

To recap, there are a total of seven common criteria within the SOC 2 report that are directly related to the organization’s risk assessment and risk management processes. The criteria range from the organizational objectives, the identification and evaluation of the risks to achieving the organization’s objectives, risk mitigation, fraud risk, vendor risk management, risks arising from business disruptions, and risks to changes in technology. Using the criteria as a foundation for developing the risk assessment process helps the risk assessment meet the SOC 2 requirements, but it can also have a significant impact on the organization as a whole, as a thorough, thoughtful, updated risk assessment can prevent negative outcomes.

If you have any questions about this blog or about our SOC 1 and SOC 2 services, please feel free to contact us at Linford & Company, and we will be happy to help in any way we can.

This article was originally published on 10/12/2022 and was updated on 1/14/2026.