Per the AICPA Publication, Trust Services Principles and Criteria, “A risk assessment process is used to establish a risk baseline and to, at least annually, identify new or changed risks to personal information and to develop and update responses to such risks.” So, does it mean that service organizations undertaking annual SOC 2 compliance assessments need to perform an annual risk assessment? Absolutely. In fact, a number of the “Common Criteria” listed within the overall Trust Services Principles and Criteria require that a documented, formalized risk assessment process be in place.
What’s the Scope for A SOC 2 Risk Assessment?
The challenge, however, for service organizations, is determining what the scope of a risk assessment should be, what documentation should be used for such an exercise, and are their standards and guidelines to use. Let’s take a look at all of these issues and clarify the risk assessment process once and for all for SOC 2 reporting. NDNB provides a complimentary risk assessment program to all of our valued SOC 2 audit clients.
There are many different categories of risk than you can choose to assess on, such as market risk, credit risk, security risk, country risk, etc.
The key to determining which of these risks you should assess during a SOC 2 engagement depends primarily on your business process and other essential scoping parameters. Yet even with that said, most – if not all – service organizations will assess information security risks, and other applicable operational risks, two key areas relevant to the SOC 2 auditing process.
What Framework Should be Used for Assessing Risk?
There are a number of risk assessment frameworks available for use and implementation, but probably more important than the frameworks – because they’re all relatively good and achieve the same results – are what categories of risk should you assess for? Here’s a list of the sixteen categories of risk that you can potentially choose from:
1. Key Risks
2. Information Security Risks
3. PII & PHI Risks
4. Cardholder Data Risks
5. Compliance Risks
6. Reputation Risks
7. Strategic Risks
8. Operational Risks
9. Transaction Risks
10. Credit Risks
11. Country Risks
12. Third-Party Risks
13. Interest Rate Risks
14. Liquidity Risks
15. Legal Risks
16. Market Risks
What Documentation Can Validate the Risk Assessment Process?
There are many different outputs and types of evidence that can document one’s risk assessment activities. Perhaps it’s a software solution that provides some type of reporting, an MS Excel spreadsheet that details risk findings, or even a simple, straightforward checklist you’ve developed internally. There’s no right or wrong answer as to what constitutes evidence of a risk assessment – so long as you perform the process and can show ample evidence of such activities. Here’s a few examples of common risk assessments documentation we’ve seen over the years:
- An analysis from a risk management software program that consisted of various hard copy reports.
- A comprehensive MS Excel spreadsheet that was internally developed by a service organization and tailed for their needs.
- An MS Word document showing a listing of risks and what controls are in place.
As you can clearly see, there’s quite a bit of looseness involved in what constitutes documentation to validate a risk assessment. NDNB, North America’s leading provider of SOC audits and other regulatory compliance services, offers a complimentary MS Word risk assessment program as part of our SOC 2 auditing program.
That means no costs out of your pocket for purchasing a risk assessment software tool or any other type of expensive compliance program. It’s just one of the many reasons why businesses all throughout the country turn to NDNB. Call Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to learn more, or email him directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today.
What Else Do Does My Company Need to Know About SOC 2 Audits?
Performing an annual risk assessment is just of many initiatives deemed critical for the overall SOC 2 auditing process. Here’s a quick primer on other essential “need-to-know” subject matter regarding SOC 2 audits:
1. Perform a SOC 2 Scoping & Readiness Assessment: If you’re completely new to the AICPA SOC 2 auditing process – or just need a fresh set of eyes to inspect your internal controls – then we highly recommend a SOC 2 scoping & readiness assessment. Why? Because it’s critical to assess audit scope in terms of processes, personnel, physical locations, along with relevant third-party providers involved.
Additionally – and this is a big point – you’ll want to adequately identify all control gaps and deficiencies, effectively remediating such issues prior to the commencement of the actual audit. Being proactive – in terms of SOC 2 auditing – is what ultimately results in an efficient, cost-effective, and successful SOC 2 auditing process.
2. Know that Documentation Remediation is Common: Do you have a comprehensive set of well-written information security policies and procedures in place? If not, you’ll need to develop such documentation as it’s a big part of the SOC 2 auditing process. That’s right, auditors will be on the lookout for your InfoSec policies, so be prepared.
NDNB offers a wide-range of complimentary information security policies and procedures templates to all of our valued clients, so contact Christopher Nickell, CPA, at 1-800-277-5415, ext. 706 to learn more, or email him directly at This email address is being protected from spambots. You need JavaScript enabled to view it. today.
NDNB. North America’s SOC 2 Leaders – Fixed Fees.
As a leading provider of SOC 2 audits for service organizations all throughout North America, NDNB also offers numerous complimentary tools and solutions for helping you become SOC compliant. Use our risk assessment program, along with our policy templates and save hundreds of hours and thousands of dollars on SOC 2 compliance today.