What is inherent risk and control risk and how do they relate to a SOC 2 audit? Inherent risk occurs due to the nature of the service provided and operation of the Company without consideration of any controls in place. Control risk is present as a result of the internal controls in place at the Company which may not prevent an error or may fail. This blog will discuss these audit risks further and how implementing controls, specifically for a SOC 2 report, will mitigate these risks or bring them to an acceptable level.
What is a SOC 2 Audit & How Does it Mitigate Risk?
A SOC 2 (System and Organization Control 2) audit is performed for a Company that provides a key service or system to user entities. Some well-known Companies that undergo SOC 2 audits are Amazon Web Services (AWS), Oracle, Azure, etc.
SOC 2 reports cover the Trust Services Criteria (TSCs), which includes:
The only criteria that must be included in a SOC 2 report is the Security criteria – Companies should include any of the other criteria that are applicable to the services or systems they provide to their customers. Based on the criteria included in the report, the Company implements controls in order to meet the criteria. These controls mitigate the overall risk present at the Company due to the nature of the services or systems they perform.
For example, one of the common criteria, CC6.1, states, “The entity implements logical access security software, infrastructure, and architecture over protected information assets to protect them from security events to meet the entity’s objectives.” In order to meet these criteria, a Company should implement various preventative and detective controls, such as; developing a process to register and authorize users prior to being issued system credentials, implementing an annual user access review, requiring access requests for user access additions, modifications, and removals, etc. The implementation of such controls helps to mitigate the risk of security events.
What is Inherent Risk?
When evaluating the risk present at a Company, some things that need to be considered are the operations, services and/or systems offered, and the internal control environment. When doing this, the Company and its auditor should consider both inherent risk and control risk. Inherent risk, in relation to SOC 2 reports, is less about the risk of material misstatement and more about the risk of error related to the Company’s operations and/or the services/systems they provide to their users. Inherent risk is the probability of an error occurring due to the nature of the operations and services/systems provided by the company, without the consideration of internal controls.
For example, a Company could process a high level of complex transactions, be performing many processes manually, or management could partake in unethical business practices, which naturally creates a higher risk environment regardless of the controls in place. By evaluating inherent risks, a Company and its auditor can determine what areas of the business are higher risk, what type of controls to implement, and how these controls could assist in mitigating the inherent risk present and bring it to an acceptable level.
What is Control Risk?
Control risk differs from inherent risk, as this is the probability of material misstatement or error due to control failures. It is common for controls to have either design or operating effectiveness failures. Depending on the extent of the failure, as a result, an error could occur.
For example, a Company may have logical access controls in place, such as role-based access, new and terminated user processes in place, limited administrator access, etc. If several of the controls fail, the probability of an error occurring, such as inappropriate system access, which could lead to a security event, should be considered. When evaluating control risk, this will help a Company and its auditor determine if they have an adequate amount of quality controls in place to bring the control risk level to an acceptable level.
Inherent Risk vs Control Risk: What is the Difference?
Both inherent and control risks should be considered by the Company when evaluating their control environment and preparing for a SOC 2 audit. Inherent risk is typically evaluated first, as this risk exists without the consideration of the controls in place or if controls are inadequate. Inherent risk and the probability that it will occur should be determined and given a risk score.
Based on the likelihood of the risk occurring, controls should be put in place to reduce the likelihood of the risk occurring. Once mitigating controls are in place, the control risk can then be evaluated and the likelihood of control risk occurring can be determined. Hopefully, in considering these risks together, a Company can create a strong internal control environment that will prepare them to undergo a SOC 2 audit.
How Do You Assess Risk in an Audit?
When a SOC 2 audit is being performed, the auditor will consider the controls in place at the Company and map them to the SOC 2 criteria. If there are not enough controls in place to meet the criteria, this could indicate that, in addition to not meeting the SOC 2 criteria, the Company could have higher levels of both inherent and control risk that should be evaluated and additional controls put in place. Additionally, when performing the SOC 2 audit, the controls that meet the SOC 2 criteria will be tested by the auditor.
This testing will look at both the design and operating effectiveness of the controls and assist in identifying if there were any failures. This could assist in identifying and evaluating control risk. Note that there is a third type of audit risk, detection risk, which is the risk that the auditor’s procedures will not detect errors or material misstatement. Detection risk can not be completely eliminated but can be lowered by hiring a quality audit firm, with experienced individuals, who apply various rigorous testing methods and audit procedures.
Companies should also be performing a risk assessment considering all aspects of their business from their services and (or) systems, regulatory and economic changes, etc. on at least an annual basis to understand the overall risk present at the Company. In performing risk assessments and undergoing SOC 2 audits, Companies can identify controls that need to be implemented, identify control failures, thus assisting in lowering risk levels and strengthening their control environment.
SOC 2 audits, among other types of audits, consider both inherent risk and control risk when evaluating a Company’s internal control environment. Inherent risk exists naturally due to the operations and services/systems provided by the Company. Control risk is the risk present as a result of a control failure. These two audit risks go hand in hand when auditors are evaluating overall risk at the Company.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.