SOC 2 Academy: Who Should Make Updates To Your Risk Assessment?
The Importance of Teamwork During a Risk Assessment
During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.
More SOC 2 Resources
[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]
One of the common findings that we have in an entity’s risk assessment is that it was just treated as something that they updated without much thought from the previous year, and they didn’t involve the appropriate members from the organization to contribute to the risk assessment process. It shouldn’t be something that just one person knows about, or one person completes, because you might be missing some very relevant intelligence from people who work at the warehouse or people who work in sales. The risk assessment involves not only people who work in IT, but also people who work in compliance, operations, or even the front desk receptionist. Consider how you can involve the most people in your organization in your risk assessment process, so that you can identify risks that you might not be aware of.