SOC 2 Readiness Series – Risk Management
April 27, 2020
Undertaking a first-year SOC audit can be a daunting feat for an organization. Are you wondering where to start? As part of our SOC2 readiness series, we’ll be highlighting five of the largest topical areas within a SOC2 audit.
Risk Management is a fundamental component to consider during SOC2 audit readiness. Below we’ve outlined guidance to help organizations comply with the American Institute of Certified Public Accountants’ (AICPA) SOC2 trust services criteria, specifically those related to risk management.
Tone at the Top
Risk management should be treated as an ongoing process that starts with management and requires buy-in from all stakeholders in order to identify the relevant risks and remediation options. We recommend at least once a year, management and relevant oversight groups (i.e. Board of Directors) facilitate a discussion of the organization’s commitments and system requirements, threats to meeting the commitments and requirements, and ways of mitigating those threats. We also recommend risk management is an ongoing topic in oversight meetings/discussions. Risk mitigation is not a static endeavor: threats evolve, and so should your risk management plan. The process also must be formalized and documented in order to validate and support operating effectiveness throughout the period under audit. From a SOC auditor’s perspective, “if it isn’t documented, we can’t confirm it happened.”
Obligations, Requirements, and Threats
The discussion should start with determining your organization’s commitments and system requirements. What contracts are in place, and what do they obligate you to deliver? What resources will you need to meet those obligations? What information will you receive in the process that will require protection?
Once your organization’s commitment and system requirements have been identified, it’s time to consider factors that might threaten your ability to perform – such as:
- Laws, regulations, and standards: What rules currently apply to your business, and can you demonstrate that you’re following them? Laws, regulations, and standards can change frequently, and even if the text stays the same, their interpretation and enforcement can be affected by the decisions of courts, agencies, and independent governing bodies.
- Internal threats: Are there personnel, budgetary or operational issues that may impact your objectives? For example, is there a succession plan in place for the CEO and other high-level managers? Are you properly training employees to complete their job responsibilities? Are your technology and security systems up to date?
- External (third-party) threats: How might your customers, vendors, or business partners impact the achievement of objectives? Are your rights secured via contracts, security agreements, or opinions of counsel? Do you work with vendors that have access to your customer’s data?
- Fraud-related threats: These can arise internally or via third parties. Fraudulent reporting, misappropriation of physical assets or trade secrets, instances of corruption or misconduct, and similar issues can all impact your ability to fulfill your commitments.
- External changes: Beyond the threats already considered, what changes do you expect in the regulatory, economic, and physical environment in which your business operates? What’s on the horizon in your industry, or among your competitors? Are your vendors reliable? Are consumer tastes changing?
- Internal changes: Your own business plans can also impact your risk profile. For example, upgrading your technology, expanding product lines, moving or opening a new location, acquiring or merging with another organization, or even just a period of rapid growth can challenge your organization’s systems, methods of operation, and relationships with vendors, business partners, and customers. Of course, any change in leadership or management team can bring with it a change in attitudes or philosophies on internal controls.
Prevent, Mitigate, or Insure?
Now that you’ve identified the threats to your organization, what are you going to do about them?
The answer will depend on the gravity of each risk, which is a function of its probability (how likely is the threat to occur?); its expected impact on your operation (high, medium or low?); and the cost to deal with it, including actual expenses and missed opportunities.
Based on that assessment, leadership should determine their response; do you accept the risk, take preventive steps to avoid or minimize it, and/or insure against the loss if it should occur. These decisions make up the risk management plan.
How Will This Impact Your Business?
If your organization does not already have a risk management process, developing one is likely to increase the time, effort, and level of commitment needed for a successful SOC2 audit.
The upside, however, can be tremendous. It can help you control losses and increase resiliency in the face of setbacks ranging from a power outage to a cyber-attack – or even a global pandemic – putting your business at a competitive advantage. Risk analysis can spur enhancements and provide a planning benchmark for future innovation.
A strong risk management program, including risk assessments, are one way of providing leadership with the information they need to understand factors that could negatively influence operations. Most people understand that growth and innovation create opportunities, but far too often they overlook the associated risks. As we’ve all seen, exposed vulnerabilities have done significant damage to many companies. Incorporating the SOC2 required risk assessment process can reduce your organization’s overall exposure to threats and get you one step closer to SOC2 compliance!
SC&H’S Key Takeaways
- Risk management should be treated as an ongoing process that requires buy-in from all stakeholders in order to identify relevant risks and remediation options in accordance with an organization’s risk tolerance.
- Threats to meeting an organization’s commitments and system requirements can stem from all areas of an organization, including compliance with applicable laws, regulations, standards, the potential for fraud, vulnerabilities in internal processes, external relationships, and changes within an organization.
- A risk management program can help you control losses and increase resiliency in the face of setbacks ranging from a power outage to a cyber-attack – or even a pandemic – putting your business at a competitive advantage.
- Threats and vulnerabilities to an organization are ever-evolving and should be re-evaluated at least annually to ensure they are continuously analyzed/mitigated in accordance with an organization’s risk tolerance.