Expertise Beyond the Numbers

For SOC 2, Risk Management Becomes a Requirement

It’s always been advisable to approach SOC 2 audits* as part of an ongoing, entity-wide risk-management process. Soon, though, that good advice is going to be an audit requirement.

The change stems from revisions the American Institute of Certified Public Accountants (AICPA) made last year to its Trust Services Principles and Criteria, known as the TSP. The revised version is mandatory for SOC 2 reports dated after December 15, 2018.

The 2017 amendment significantly restructures and enhances TSP Section 100, which defines the required criteria within SOC 2 audits and, for each criteria, internal control considerations. Even if this is not your first SOC 2 report, the changes are extensive enough to consider a pre-SOC readiness assessment to identify any gaps within your internal control environment prior to the start of the reporting period.

In this post, we’ll focus on one major aspect of the 2017 revisions: the need for a formalized, entity-wide risk-management process.

The Trust Services Criteria: New name, new format, new details

AICPA’s goal for the 2017 revisions was to more accurately alight the TSP 100 with the 2013 COSO Framework, which publicly traded companies use to assess their own internal controls related to fraud and misappropriation of assets and data. While both the TSP and the COSO Framework focus on internal control, they were developed separately and had used the term “principles” to denote different things.

The result is the 2017 Trust Services Criteria. AICPA dropped the word “principles” but retained the familiar TSP acronym. It also retained, but renamed as “categories,” the TSP 100’s former trust principles of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Within those five categories, however, the criteria for assessment have been regrouped and expanded, with a new level of detail, called “points of focus,” suggested for the criteria. All of this tracks with the COSO Framework – including its emphasis on entity-wide risk management.

Start at the top

Like the COSO Framework, the 2017 Trust Services Criteria treats risk management as an ongoing process that starts with upper management and requires buy-in from all stakeholders in order to identify the relevant risks and remediation options.

At least once a year, management and relevant oversight groups (i.e. Board of Directors) should facilitate a discussion of the enterprise’s obligations, threats to completion and ways of mitigating those threats. We strongly recommend quarterly follow-up meetings to identify and discuss any changes. Mitigation is not a static endeavor: threats evolve, and so should your risk-management plan.

The process also must be formalized and documented in order to validate and support operating effectiveness throughout the period in scope. From a SOC auditor’s perspective, “if it isn’t documented, it doesn’t exist.”

Obligations, Requirements and Threats

The discussion should start with your organization’s obligations and commitments. What contracts are in place, and what do they obligate you to deliver? What resources will you need to meet those obligations? What information will you receive in the process that will require protection?

Once your company’s obligations and needs have been identified, it’s time to consider factors that might threaten your ability to perform – such as:

  • Laws, regulations and standards: What rules currently apply to your business, and can you demonstrate that you’re following them? Laws, regulations and standards can change frequently, and even if the text stays the same, their interpretation and enforcement can be affected by the decisions of courts, agencies and independent governing bodies.
  • Internal threats: Are there personnel, budgetary or operational issues that will impact your objectives? For example, is there a succession plan in place for the CEO and other high-level managers? Is the company’s lease up for renewal? Are your technology and security systems up-to-date?
  • External (third-party) threats: How might your clients, sub-vendors, or business partners impact achievement of objectives? Are your rights secured via contracts, security agreements, MOUs or opinions of counsel?
  • Fraud-related threats: These can arise internally or via third parties. Fraudulent reporting, misappropriation of physical assets or trade secrets, instances of corruption or misconduct, and similar issues can all impact your ability to fulfill your commitments.
  • External changes: Beyond the threats already considered, what changes do you expect in the regulatory, economic, and physical environment in which your business operates? What’s on the horizon in your industry, or among your competitors? Are your vendors reliable? Are consumer tastes changing? Are you or others in the industry facing litigation or regulatory enforcement proceedings?
  • Internal changes: Your own business plans can also impact your risk profile. For example, upgrading your technology, expanding or contracting product lines, moving or opening a new location, acquiring or merging with another company, or even just a period of rapid growth can challenge your company’s systems, methods of operation and relationships with vendors, business partners and customers. Of course, any change in the leadership or management team can bring with it a change in attitudes or philosophies on internal controls.

Prevent, Mitigate or Insure?

Now that you’ve identified the threats, what are you going to do about them?

The answer will depend on the gravity of each risk, which is a function of its probability (how likely is the threat to occur?); its expected impact on your operation (high, medium or low?); and the cost to deal with it, including actual expenses and missed opportunities.

Based on that assessment, the leadership team will determine whether to accept the risk, take preventive steps to avoid or minimize it, and/or insure against the loss if it should occur. These decisions make up the risk-management plan.

Documentation is essential at this stage. A SOC 2 auditor will measure the effectiveness of internal controls on three points: Is the control reasonably described? Based on the description, can it reasonably be expected to accomplish its stated goal? And finally, does it work?

Without documentation, there is no plan, no way to analyze it and no way to test its effectiveness. Again: if it’s not documented, it doesn’t exist.

How Will This Impact Your Business?

If your organization does not already have a risk-management process, developing one is likely to increase the time, effort and level of commitment, at all levels, needed for a successful SOC 2 audit.

The upside, however, can be tremendous. It can help you control losses and increase resiliency in the face of setbacks ranging from a power outage to a cyclone – or a cyber-attack – putting your business at a competitive advantage. Risk analysis can spur enhancements and provide a planning benchmark for future innovations.

As we’ve all seen, exposed vulnerabilities have done significant damage to many companies. Adding a formalized risk assessment process to the SOC 2 process can reduce your organization’s overall exposure to risk.

*More information about different types of SOC audits and considerations for preparing for them can be found in our earlier blog posts and our e-book, A Service Organization’s Guide to SOC 1, 2 and 3 Reports.

If you’d like to discuss how our team can help with your SOC audit needs, please contact us.