Common Criteria 3.3
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.3 (CC3.3) states, “The entity considers the potential for fraud in assessing risks to the achievement of objectives.” This means that organizations must consider how fraud can impact risk. What does an organization need to do to comply with common criteria 3.3? Let’s find out.
Assessing Opportunities for Fraud
As part of the risk assessment process, organizations need to assess opportunities for fraud within the organization so they can understand how fraud can impact risk. This includes not only the different types of fraud that might be committed, but also the incentives, pressures, attitudes, and rationalizations that could influence someone within the organization to commit fraud. During the SOC 2 audit, an auditor will verify that the entity has considered any type of fraud that could be committed, such as fraudulent reporting, corruption, or loss of assets. Similarly, an auditor will want to see that an organization is proactively assessing incentives and pressures to partake in fraudulent activities. For example, if an organization has a rigorous bonus program based on meeting certain objectives, how do they mitigate the potential for fraudulent behavior? If an employee commits fraud in order to receive their incentive bonus, what risks does that pose to the organization? Does the organization have a strict no-tolerance policy for fraudulent activities? How does management respond to employees committing fraud? Do they rationalize the behavior?
Think about it this way: what would be the impact to your organization if an employee accessed and stole sensitive data? What if an employee altered records to get ahead? Assessing opportunities for fraud is critical for all organizations and is a critical way that organizations will understand how fraud can impact risk. Employees are often viewed as the weakest security link, and this includes the risk that they will commit fraud. If you’re in the process of preparing for a SOC 2 audit, how are you assessing opportunities for fraud within your organization?
More SOC 2 Resources
When pursuing compliance with common criteria 3.3 (CC3.3) in the SOC 2 Trust Services Criteria, you want to make sure in your risk assessment that you’ve considered the impact of fraud on your level of risk. For example, have you put too much emphasis on meeting the objectives of the organization? Is there an incentive or opportunity for an employee to commit fraud in order to meet that incentive? Do employees have attitudes and rationalized behaviors that have developed because they’re so concerned about meeting the incentive or receiving the potential reward for accomplishing their duties that they make the decision to use fraud to make it seem like they’ve done that? You need to incorporate this attitude and the potential for fraud to impact your organization as you assess your own risks.