What is a Risk Assessment? – Learn The 5 Steps to a Risk Assessment

What is the Purpose of a Risk Assessment?

Most information security frameworks require a formally documented, annual risk assessment. You will see this requirement over and over again in your pursuit of SOC 1, SOC 2, PCI DSS, HIPAA, or HITRUST CSF compliance. What is a risk assessment? What is the purpose of a risk assessment, and why is it so important to information security frameworks? A risk assessment is a methodology used to identify, assess, and prioritize organizational risk. Without a risk assessment, organizations can be left unaware of where their critical assets live and what the risks to those assets are. Risk assessments evaluate the likelihood and impact of those threats actually happening, and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack.

One way to look at a formal risk assessment process is your organization is now being proactive rather than reactive. If you have the opportunity to anticipate a potential security incident and address the potential adverse impacts, chances are you will be successful and save your business from any operational and reputational loss.

In relation to a SOC 1 audit, the controls that you select to be tested and described in your SOC 1 report need to be based off of your risk assessment. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address that risk.

What is a Risk Assessment? - Learn The 5 Steps to a Risk Assessment

5 Steps to a Risk Assessment

A risk assessment is a systematic process of evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. The risk assessment process must be a continual, monitored process to be effective. So, where do you begin? The five steps to a risk assessment include:

  1. Conduct Risk Assessment Survey – Input from management and department heads is vital to the risk assessment process. This survey is an avenue to document specific risks or threats within a department.
  2. Identify Risks – The purpose of a risk assessment is to evaluate something like an IT system and ask, what are the risks to hardware, software, data, IT personnel? What are the potential adverse events, like fire, human error, bomb threats, or flooding? What’s the potential for a loss of integrity, availability, or confidentiality in your systems?
  3. Assess Risk Importance and Risk Likelihood – What is the likelihood of a specific event having a negative impact on an asset? This can be expressed subjectively or quantitively (High, Medium, Low or 1, 2, 3).
  4. Create a Risk Management Action Plan – Based on your analysis of which assets are valuable and which threats are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk.
  5. Implement a Risk Management Plan – Now that you’ve completed the first four steps to a risk assessment, you’ve developed an effective way to identify and managed risk. Now, it’s time to train your team and implement these controls.

 

More Risk Assessment Resources

Risk Assessment Guide and Matrix

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Information Security Management Series: Risk Assessment

CFPB Readiness Series: Making Risk Assessment Work For You

What is Risk Management?

Video Transcript

A risk assessment is an important component of an SSAE 18 (recently updated from SSAE 16) because the controls that you select to describe in your report and that the auditor will test must be based on that assessment of risk. You must determine what risks you’re facing in the achievement of your control objectives and then you must implement the controls in order to address those risk. We get these questions all the time – What is the purpose of a risk assessment? What are the steps to a risk assessment?What should go into a report? What controls should we have in place? The answer to that is: What risks are you trying to address? That’s part of our process so that we can help you identify what those risks are. Understand the concept of risk assessment and why it’s so important for the SOC 1. That really and truly is the thing that determines what goes into your report.

Understanding Your SOC 1 Report: The 5 Components of Internal Control

What are the Components of Internal Control (CRIME)?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. It’s one of the most common models used to design, implement, maintain, and evaluate internal control. To have an effective system of internal control, the COSO framework requires that service organizations have the defined components of internal control present, functioning, and supporting business and internal control objectives. Control environment, risk assessment, information and communication, monitoring, and existing control activities make up the five components of internal control, known by the acronym of CRIME.

What are the components of CRIME and what do they mean for your organization?

  1. Control Environment: The first component of internal control is control environment. A control environment refers to a service organization’s compliance culture and includes everything from organizational structure to ethical values. Is management committed to an effective system of internal control? Is there some type of team committed to internal auditing or compliance? How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness?
  1. Risk Assessment: Risk assessment is a critical component of a service organization’s compliance, which is why the COSO framework incorporates it into the components of internal control. Does the organization know where assets live? Does the organization assess risks that are a threat to the achievement of internal control objectives? Are controls fully understood? Are there tests performed to assess of control?
  1. Information and Communication: Quality information and effective communication among a service organization can impact meeting internal control objectives. When there’s a system change, how does management communicate that to internal employees and/or external users? What is the effectiveness of that communication?
  1. Monitoring: How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action?
  1. Existing Control Activities: The final component of internal control is existing control activities. This is the largest component, as it provides the details about the controls that you’ve put into place to meet your internal control objectives. Does the organization have documented policies and procedures? Is there a business continuity plan? Is there a change management program?

The five components of internal control function together to create an effective system of internal control. You must have a control environment to create a compliance culture within your organization. Once you have management’s support and influence, you can create a risk assessment process that identifies and manages risks that threaten the achievement of internal control objectives. You can then implement control activities that meet your internal control objectives and use effective communication to implement these processes throughout your organization. An ongoing monitoring program will keep your organization focused on meeting internal control objectives.

To learn more about how to implement the five components of internal control at your organization, contact us today.

Video Transcript

In order to complete your SSAE 16 (recently updated to SSAE 18), you must have the five components of internal control present and functioning. These components are known by the acronym of CRIME. The first component is a control environment. How does management implement policies and procedures that guide the organization? How does management create an atmosphere that addresses integrity, ethics, and operating effectiveness? The second component is risk assessment. Does the organization assess risks that are a threat to the achievement of your control objectives? The third component is information and communication. How does management communicate to your internal employees and your external users of your controls about any system changes or anything that might affect the use of the system that the service organization is offering. The fourth component is monitoring. How does management monitor the operating effectiveness of the organization? How do you address efficiencies and take part in corrective action? The fifth component is existing control activities. This section of the SSAE 16 (recently updated to SSAE 18) is the largest, as it provides the detail about the controls that you’ve put into place to meet your control objectives.

Understanding Your SOC 1 Report: The 3 Objectives of COSO

What is the COSO Framework?

The framework utilized for a SOC 1 audit is known as the COSO Internal Control Framework. The COSO framework is one of the most common and important models used to design, implement, maintain, and evaluate internal control. It’s regarded as the definitive model against which organizations determine the effectiveness of their internal control. The COSO framework was established in 1992, but updated in 2013 to address evolving technology, environments, governance, and regulations. SOC 1, 2, and 3 reports all have some type of inclusion of the COSO framework. The COSO framework outlines objectives, components, and principles. What are the three objectives of COSO and why are they important?

What are the 3 Objectives of COSO?

What are the 3 Objectives of COSO?

Design, implement, maintain, and evaluate internal control – easy enough, right? There are a lot of elements that go into developing an effective system internal control. The COSO framework outlines three objectives, five components of internal control, and 17 principles related to internal control. The COSO framework defines internal control as, “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations.” The objectives of COSO are at the very core of internal control. What do the objectives of COSO mean for your organization?

  1. Operations – Are the controls that your organization has put into place been properly designed and are they operating effectively? Your clients are relying on those controls as you deliver your services to them. Are your organization’s operation procedures efficient? Are your operational and financial performance goals realistic? Do you safeguard assets against risk and loss? The operations objective is meant to focus on the effectiveness and efficiency of operations.
  2. Reporting – Are your reports reliable, timely, and transparent? What reports do your clients rely upon? Meeting the reporting objective is vital to meeting your clients’ goals and your obligations to them.
  3. Compliance – Which laws and regulations apply to you? The compliance objective ensures that you remain in compliance with the standards and regulations that your clients care about.

To learn more about the objectives of COSO and how the framework functions within your SOC 1, 2, or 3 report, contact us today.

Video Transcript

The framework that is utilized for the SSAE 18 (formerly SSAE 16) is known as the COSO Internal Control Framework. The first objective of this framework is operations. Are the controls that you’ve put into place properly designed and operating effectively? Your clients are relying on those controls as you deliver your services to them. The second objective is reporting. What reports do your clients rely upon in order to assure that your services are meeting their goals and your obligations to them? The third objective is compliance. Which laws and regulations apply to you so that you remain in compliance with those things that your clients care about?

Understanding Your SOC 1 Report: What is a SOC 1 Report?

What is a SOC 1 Report?

Has a prospect recently asked if your organization has a SOC 1 report? Has a top client requested that you begin completing annual SOC 1 audits? Meanwhile, you’re just wondering, what is a SOC 1 report? Does your service organization affect user organization’s financial reporting? A SOC 1 would apply to you. SOC 1 engagements are based on the SSAE 18 standard developed by the AICPA and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR). A SOC 1 report is the only type of SOC report that evaluates and tests financial reporting. Receiving a SOC 1 report establishes a greater level of trust with clients, gives your organization a competitive advantage, and shows your commitment to protecting sensitive information.

5 Components of a SOC 1 Report

In a SOC 1 report, an independent auditor attests that management’s description of a service or system is suitably designed and that the controls are suitably designed in the attainment of the control objectives. SOC 1 reports issued by KirkpatrickPrice will contain a fair presentation and description of the internal controls within the scope of the audit. The controls described are only those that relate to a user organization’s ICFR, and to the services that service organizations provides to them. It will also describe the objectives of each control, whether the controls were suitably designed to achieve their objectives, and, for Type II audit engagements, whether the controls were operating effectively throughout the review period. A SOC 1 report also includes five major sections, which map with the five Committee of Sponsoring Organizations (COSO) components:

1. Control Environment

The control environment is the foundation for all other components of internal control. It sets the tone of an organization that influences the control consciousness of its people. In other words, it establishes the overall attitude, awareness, and actions of the board of directors, management, and employees concerning the importance and emphasis of internal control in the entity.

2. Risk Assessment

Risk assessment is not just the identification and evaluation of the significance of risk, but also involves how those risks are to be managed within your organization’s environment. COSO states that risks relevant to financial reporting include external and internal events that may occur and adversely affect the achievement of financial reporting objectives.

3. Control Activities

The policies and procedures established to provide reasonable assurance that management’s directives to mitigate risk are executed. Control activities may be preventative or detective, and include the traditional internal controls, such as processing, recording, approving, and reconciling transactions. They occur on a day-to-day routine basis throughout the organization and at all levels to record the transactions and events that create the financial statements. Controls fall into three categories: general controls, application controls, and physical controls.

4. Information and Communication

This refers to the identification, retention, and transfer of information in a timely manner enabling personnel to execute their responsibilities. The quality of information impacts management’s capacity to make decisions to direct the entity’s activities and prepare financial statements. Communication includes obtaining, providing, and sharing information, both internally and externally.

5. Monitoring

A process that evaluates whether each of the five internal control components, and the principles within each component, are present and functioning. The process may be achieved through separate evaluations or ongoing activities. Monitoring also includes initiating appropriate corrective actions.

A SOC 1 report provides an independent opinion on the establishment of effectively designed control objectives and control activities. A SOC 1 report is issued by a qualified, independent, certified public accounting firm. If you want to learn more about what it takes to complete a SOC 1 audit, contact us today.

Video Transcript

An SSAE is a statement on standards for attestation engagements. These are technical pronouncements from the AICPA, which is the American Institute of Certified Public Accountants. The SSAE 18 (formerly SSAE 16) is specifically designed for service organizations. What the independent auditor is attesting to is that management’s description of the service or system that the users have access to is suitably designed and that the controls are suitably designed in the attainment of the control objectives. Also, for a Type II report, the auditor is attesting to the fact that the controls were operating effectively during the period.

The service organization receives a report from the independent auditor, and that report can be shared with their user organizations, as they would rely upon that during their audit, as they are concerned about internal control over financial reporting. An SSAE 18 is issued by a qualified, independent, certified public accounting firm.

Understanding Your SOC 1 Report: How Does Sampling Work?

Sampling During a SOC 1 Audit

When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling requires, “that the auditor use professional judgment in planning, performing, and evaluating a sample and in relating the evidential matter produced by the sample to other evidential matter when forming a conclusion about the related account balance or class of transactions.”

If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

Video Transcript

When an auditor performs a test of control for an SSAE 16 (SOC 1) report, it may be appropriate to apply sampling. If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

An example of a population that would have to be tested would be new hire training forms, employee acknowledgements of certain policies and procedures, antivirus reports, or access control logs. These kinds of things are determined by what kind of sampling could be applied in those situations where it is appropriate to do so.