With the importance that information security continues to have in enterprise and vendor risk management, your organization may find itself needing a System and Organization Controls (SOC) 2 report sooner rather than later. First-timers to the SOC 2 process should have a current risk assessment available prior to their first SOC 2 engagement. A risk assessment can make the attestation related to your IT controls an easier process to undergo. Our article provides additional detail about what the risk assessment entails.
Reminder: What Is Being Evaluated in a SOC 2 Audit?
The SOC 2 audit uses the AICPA Trust Services criteria related to the security, availability, processing integrity, confidentiality and privacy of your sensitive information to opine on the design and operating effectiveness of your organization’s IT controls. As part of the engagement, SOC 2 auditors will also be reviewing your logical and physical access controls, system operations, change management procedures, and risk mitigation activities.
Defining Your Risk Universe & Identifying Controls
Every organization’s risks are different depending on your industry, organization size, organization being public or private, and a variety of additional factors. No two organizations will likely have the same risks, and the risks may increase if you experience changes to IT system operations, processing volume, management teams or regulations.
With such a wide range of factors involved in identifying a comprehensive listing of risks facing your organization, or your “risk universe,” the largest looming question for many is “where do I start?” Fortunately, there are many adequate resources available online if you simply query, “list of risks for ‘x’ industry”. While more comprehensive resources are likely blocked by firewalls of companies seeking for you to pay for their content, there are many free resources that provide a sufficient starting point. Also, if your company has already invested in a third-party risk management tool or audit software, many of these systems have a vast number of risks for consideration. Lastly, you can ask your auditor. Too often companies do not appropriately leverage the resources that their audit firm has available and is likely willing to share.
Once you have identified your full risk universe, the next step is to rank those risks. This is an area many organizations stumble on during the risk assessment as they attempt to track and manage “all” risks. While noble in intent, the reality is that organizations only need to rank their “key” risks. Tracking hundreds of risks can be a full-time job and there comes a point where you enter a realm of diminishing returns. A common framework for measuring risk ratings is calculating a residual risk score, which is the risk that remains after taking into consideration "Inherent" risk (the probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances) less any controls which may mitigate the loss. To calculate residual risk we review the following factors:
1. Impact - the potential effect of the occurrence of the risk.
2. Velocity - how quickly the full impact of the risk will be realized.
3. Likelihood - how likely is the risk event to occur?
4. Mitigation - this considers how strong your control environment is related to the risk that it would identify the issue.
By summing up inherent risk scores on a desired scale system (1 to 10, 1 to 5, etc.) and deducting a calculated mitigation score, you have your residual risk.
With your critical risks now identified, the next step is to identify your key controls. Documenting key controls should include evaluating the frequency of the control and who the control owner is. The control owner should ultimately be responsible for ensuring the control is operating in an appropriate manner. Early results from the assessment of both risks and controls will identify if your organization has any glaring issues with the way in which it handles the security, availability, processing integrity, confidentiality, and privacy of its information.
The Importance of Documentation in the SOC 2 Engagement
One of the reasons why conducting a formal risk assessment is important to your SOC 2 engagement is that it helps your organization formally document its threats to and controls for IT security. The SOC 2 auditor will review your internal controls, policies and procedures, and risk mitigation measures in place related to the AICPA Trust Services Criteria prior to beginning the SOC 2 engagement. If you have the control areas that will be reviewed during the SOC 2 audit well covered, it can expedite your SOC engagement.
For organizations undergoing a SOC 2 for the first time that are not confident in their own internal evaluation of risks, a readiness assessment is often an invaluable tool for validating SOC 2 preparedness. In golfing terms, a readiness assessment can be viewed as a company’s “mulligan.” In short, it allows the opportunity to work with your auditor to identify your key controls to meet the Trust Services Criteria, and if done properly, will also provide your organization with recommendations on areas for control improvement and insights to best practices. The SOC 2 readiness stage can take anywhere from a few weeks to upwards of three months. It’s an investment any company considering a first-time SOC 2 should heavily consider because of the advantages of identifying any control gaps before entering into its formal audit period.
For More Questions
For specific comments, questions or concerns about getting ready for your first SOC 2 audit, please contact a member of our team.
Published on February 25, 2022