SOC 2 Controls CC3: Risk Assessment
The third SOC-2 requirement in the CC-series is Risk Assessment.
CC3.1
SOC 2 CC3.1 requires that your organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
CC3.1 highlights the following points of focus:
Operations Objectives
Reflects Management's Decisions
Your organisation’s operations objectives should accurately reflect management's decisions about structure, industry considerations, and organisation performance.
Considers Tolerance Levels for Risk
Your management team should consider the acceptable levels of variation relative to the attainment of your organisation’s operations objectives.
Includes Operations and Financial Performance Objectives
The organisation should indicate the desired level of operations and financial performance within its operations objectives.
Forms a Basis for Committing of Resources
Management should use your organisation’s operations objectives as a basis for allocating resources needed to achieve desired operations and financial performance.
External Financial Reporting Objectives
Complies With Applicable Accounting Standards
Your organisation’s financial reporting objectives should be consistent with accounting principles suitable and available for the organisation. The accounting principles selected should be pertinent in the circumstances.
Considers Materiality
The management team should consider materiality in financial statement reporting.
Reflects Organisational Activities
External reporting should reflect the underlying transactions and events to show qualitative characteristics and statements.
External Nonfinancial Reporting Objectives
Complies With Externally Recognised Frameworks
The management team should establish objectives consistent with laws and regulations or standards and frameworks of recognised external entities.
Reflects the Necessary Level of Precision
Management should consider the required level of precision and accuracy appropriate for user needs and based on criteria established by third parties in nonfinancial reporting.
Reflects Entity Activities
Your organisation’s external reporting should reflect the underlying transactions and events within a range of acceptable limits.
Internal Reporting Objectives
Reflects Management's Choices
Your organisation’s internal reporting should provide management with accurate and complete information about its choices and the information needed to manage the organisation.
Reflects the Necessary Level of Precision
Management should consider the required level of precision and accuracy appropriate for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
Reflects Entity Activities
Your organisation’s internal reporting should reflect the underlying transactions and events within a range of acceptable limits.
Compliance Objectives
Reflects External Laws and Regulations
Laws and regulations determine minimum standards of conduct, which your organisation should integrate into compliance objectives.
Considers Tolerances for Risk
Your management team should consider acceptable levels of variation relative to achieving your organisation’s operations objectives.
An additional point of focus specifically related to all engagements using the trust services criteria:
Establishes Sub-objectives to Support Objectives
The management team should identify sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of your organisation’s objectives related to reporting, operations, and compliance.
CC3.2
SOC 2 CC3.2 requires that your organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.
CC3.2 highlights the following points of focus:
Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
The organisation should identify and assess risk at multiple levels:
- Organisation
- Subsidiary
- Division
- Operating unit
Relevant to the accomplishment of your objectives.
Analyses Both Internal and External Factors
Your organisation’s risk identification process should consider both internal and external factors and their influence on achieving objectives.
Involves Suitable Levels of Management
The organisation should put effective risk assessment mechanisms in place, involving suitable levels of management.
Assesses Significance of Risks Identified
Your organisation should analyse identified risks through a process that includes assessing the possible significance of the risk.
Defines How to Respond to Risks
Risk assessment should include considering how the risk should best be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
[H3] Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities
Your organisation’s risk identification and assessment procedure should include:
- Recognising information assets. This includes physical devices and systems, virtual devices, software, data and data flows, external information systems and organisational roles
- Evaluating the criticality of the identified information assets
- Recognising the threats to your information assets from intentional (including malicious) and unintentional acts as well as environmental events
- Identifying the possible vulnerabilities of the information assets.
Evaluates Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties
Your organisation’s risk assessment procedure should include analysing potential threats and vulnerabilities from vendors providing goods and services.
The risk assessment procedure should also include the analysis of threats and vulnerabilities that could arise from business partners, customers, and others with access to your organisation’s information systems.
Considers the Significance of the Risk
Consideration of the potential significance of the identified risks should include:
- Establishing the criticality of identified information assets in meeting your organisation’s objectives
- Assessing the impact of identified threats and vulnerabilities in meeting your organisation’s objectives
- Assessing the probability of identified threats
- Ascertaining the risk linked to assets based on asset criticality, threat impact, and probability.
CC3.3
SOC 2 CC3.3 requires that your organisation considers the potential for fraud in assessing risks to the achievement of objectives.
CC3.3 highlights the following points of focus:
Considers Numerous Types of Fraud
The organisation’s assessment of fraud should take into account reporting, possible asset loss, and corruption resulting from the various ways that fraud and misconduct can occur.
Assesses Incentives and Pressures
Your organisation’s assessment of fraud risks should consider incentives and pressures.
Assesses Opportunities
The assessment of fraud risk should consider opportunities for:
- Unauthorised possession, use, or disposal of assets
- Altering the entity’s reporting records
- Committing other inappropriate acts.
Evaluates Attitudes and Rationalisations
The organisation’s assessment of fraud risk should consider how management and other personnel might engage in or rationalise improper actions.
Additional point of focus related explicitly to all engagements using the trust services criteria:
Considers the Risks Related to the Use of IT and Access to Information
Your organisation’s assessment of fraud risks should consider threats and vulnerabilities that could occur specifically from the use of IT and access to information.
CC3.4
SOC 2 CC3.4 requires that your organisation identifies and assesses changes that could significantly impact the internal control system.
CC3.4 highlights the following points of focus:
Considers Changes in the External Environment
Your organisation’s risk identification procedure should consider changes to the regulatory, economic, and physical environment in which the organisation operates.
Considers Changes in the Business Model
The organisation should consider the possible impacts of new business lines, significantly altered arrangements of existing business lines, obtained or divested business operations on the internal control system, rapid growth, changing dependence on foreign geographies, and new technologies.
Considers Changes in Leadership
Your organisation should consider changes in management and corresponding attitudes and philosophies on the internal control system.
An additional point of focus specifically related to all engagements using the trust services criteria:
Considers Shifts in Systems and Technology
Your risk identification process should consider changes arising from changes in your organisation’s systems and the technology environment.
Considers Changes in Vendor and Business Partner Relationships
Your risk identification process should consider potential changes in vendor and business partner relationships.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.