The most important common criteria tested within the SOC 2 report is the risk assessment. An organization’s risk assessment is the heart and soul of the SOC 2 report. Unfortunately, there are many consequences for lacking well-defined risk assessment and risk management processes:
- Business/system failure
- Financial loss
- Noncompliance with national and foreign laws, regulations, and standards
- Increased probably for fraudulent activities
But don’t worry, no need to panic! After reading the following sections, you’ll learn the SOC 2 criteria that are directly related to the risk assessment and risk management processes, an auditor’s interpretation of the spirit of each of these criteria, and a few helpful techniques to get your organization’s risk assessment and risk management processes prepared for SOC 2 control testing.
CC3.0: Risk Assessment Process
There are four criteria within CC3.0: Risk Assessment of the SOC 2 report. Each criterion, also known as COSO Principles, describes specific aspects of the risk assessment and risk management processes (included below, from COSO.org).
- “CC3.1 (COSO Principle 6): The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”
- “CC3.2 (COSO Principle 7): The entity identifies risk to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
- “CC3.3 (COSO Principle 8): The entity considers the potential for fraud in assessing risks to the achievement of objectives.”
- “CC3.4 (COSO Principle 9): The entity identifies and assesses changes that could significantly impact the system of internal control”.
CC3.1 (COSO Principle 6)
Take a step back and look at your organization’s risk assessment and management processes and ask yourself, why is my organization performing a risk assessment in the first place? Is it to identify only IT risks? Is it to mitigate risks to an acceptable level? Not necessarily. Those are only components of a risk assessment. The main purpose of conducting a risk assessment is to identify strategic, operational, technical, and financial risks. If exploited, it could result in not achieving 1 or many of your business objectives or commitments made to your customers.
At the beginning of your risk assessment process, ask the following questions:
- What are your organization’s business objectives?
- Are these objectives formally documented?
- Are the risks identified within the risk assessment cascaded from your organization’s objectives?
CC3.2 (COSO Principle 7)
Assuming you came to the same conclusion, this criterion speaks directly to performing a risk assessment that includes the identification of risks to the achievement of your organization’s objectives and commitments made to your customers. CC3.2 also speaks to how the entity determines how it will manage each identified risk to an acceptable level by categorizing, evaluating, and creating risk mitigation strategies for each risk identified in the risk assessment.
Make sure your risk identification and assessment processes include the following:
- Documentation of the process, procedures, and framework (ISO 27001, NIST-800) followed during the risk assessment.
- Categorization of risks.
- Risks rated using an evaluation scale (Likelihood x Impact).
CC3.3 (COSO Principle 8)
You guessed it! Fraud should be a major consideration in your organization’s risk assessment and management processes. An analysis of the fraud risks and schemes that may impact achieving your organization’s objectives and commitments to customers should be included within the risk assessment. And always remember the Fraud Triangle: Motive/Pressure, Opportunity, and Rationalization.
CC3.4 (COSO Principle 9)
During my professional career, many organizations have struggled to understand the meaning of this criterion. Organizations that fail to monitor and assess risks to changes within their organization could be more vulnerable to data loss or breaches. An organization may not have had any major terminations, changes to leadership, or business mergers, but typically, in the time between risk assessment reviews, an organization goes through some type of change.
Here are a few examples of changes that organizations may have experienced that if not monitored and assessed, could negative impact on an organization:
- Current technology/adoption of new technology
- Changes to leadership
- Laws and regulations
- Third-party vendors or business partners
CC5.0: Control Activities
Next, there are two criteria within CC5.0 that are directly related to the risk assessment, more specifically, risk mitigation.
- CC5.1 (COSO Principle 10): The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- CC5.2 (COSO Principle 11): The entity also selects and develops general control activities over technology to support the achievement of objectives.
Once the risks to your organization achieving its business objectives have been identified and evaluated, risk mitigation strategies and plans should be created for each risk. Risk mitigation strategies can include processes, controls, and timeframes to mitigate each risk to an acceptable level.
Consider the following:
- Were risks from previous risk assessment(s) included in the most recent version and reviewed?
- Does each risk have a risk owner?
- What mitigation strategy (Acceptance, Transfer, Avoidance, Mitigate) was determined?
- Were processes and controls in place to mitigate the risk to an acceptable level?
- What is the remediation timeframe for each risk?
CC9.0: Risk Mitigation/Business Disruption
Lastly, there is one criterion in CC9.0 that describes the relationship between the risk assessment and business disruptions.
- CC9.1 (COSO Principle 12 supplement 9.1): The entity identifies, selects, develops risk mitigation activities for risk arising from potential business disruptions.
An organization should include an evaluation of risks related to disruptions in business processes and develop risk mitigation strategies for each identified risk. Risk mitigation activities can include:
- Developing policies, procedures, and communications.
- Selecting an alternate processing site.
- Monitoring information and communications during response, mitigation, and recovery efforts to meet your organization’s objectives.
- Implementation of cybersecurity insurance to offset the risk of financial loss.
- Development and testing of Business Continuity and Disaster Recovery Plan.
To recap, there are a total of seven common criteria within the SOC 2 report that are directly related to your organization’s risk assessment and risk management processes. The criteria range from your organizational objectives, the identification and evaluation of the risks to achieving your organization’s objectives, risk mitigation, fraud risk, vendor risk management, risks arising from business disruptions, and risk to changes in technology.
I hope you are just as excited about the SOC 2 risk assessment criteria as I am. If you have any questions about this blog or about our SOC 1 and SOC 2 services, please feel free to contact us at Linford & Company and we will be happy to help in any way we can.
Ryan started with Linford & Co., LLP in 2022 focusing on SOC 1 and SOC 2 examinations. Ryan started his career with KPMG Atlanta in 2016 in the IT Assurance group focusing on SOX and ITGC testing. He has also audited clients from a variety of industries as well as worked on an Internal Audit for a financial services institution. Ryan holds a Bachelor of Information Science and Technology from the University of Wisconsin, Milwaukee, and a Masters of Information Systems from Auburn University.