Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, has established three types of Service Organization Controls reports (“SOC”). The three types SOC 1, SOC 2, and SOC 3 are comprised of various components and require different reporting aspects based on the type of examination. Regardless of whether a service organizations is undergoing a SOC 1, SOC 2, or SOC 3 examination, all service organizations are now required to perform a risk assessment that assesses risks for each control objective (SOC 1) or each Trust Services Criteria (SOC 2 and SOC 3).
Types of Risk Assessments
For organizations undergoing a SOC 1 examination, the risk assessment is required for each control objective in order to allow the service organization to appropriately assert to the design effectiveness of the controls for the period under examination. The risk assessment allows the organization to assess the risks for each control objective and evaluate whether the key controls are designed to effectively mitigate the identified risks. For those organizations that require a SOC 2 or SOC 3, the risk assessment process should evaluate risks related to each Trust Services Criteria and the associated mitigating controls to evaluate whether the key controls are designed effectively.
Risk Assessment Process
As Service Organization’s embark on performing their risk assessments, they should consider several key steps that should be followed in documenting the risk assessment. The first key issue the service organization needs to address is identifying the appropriate control owners for each control objective or Trust Services Criteria. It is not uncommon for many control objectives and Trust Service Criteria to be performed by various individuals within the service organization, and it is extremely important that each owner prepare the risk assessment for the objectives and criteria for which they are responsible. Once the responsible parties have been identified, they should begin to document the key risks associated with each control objective or Trust Services Criteria. In addition, the key controls that have been implemented to mitigate these risks should be documented as well. The risks and the associated key controls should be clearly documented on the assessment along with a conclusion stating whether the control owner believes the identified risks have been appropriately mitigated by the key controls. In addition, any risks identified that have not been appropriately mitigated by key controls should be appropriately documented along with the plan to implement key controls to ensure the deficiency has been eliminated.
Service organizations should also review and update their risk assessments at periodic intervals throughout the SOC 1, SOC 2, or SOC 3 reporting period. A quarterly or semi-annual review of the risk assessment for each control area should be performed by the control owner. The risks for each control objective or Trust Services Criteria should be re-evaluated to help ensure the business climate of the service organization has not changed since the last assessment. Changes in the business climate could include the addition of new services, systems, or end users that change the risk surrounding the control objectives or Trust Services Criteria. The new risks will need to be evaluated to determine that the key controls appropriately address the risks. New key controls may need to be implemented to address these risks.
Evaluating Business Climate and User Needs
In addition to evaluating the risk assessment for changes to the business climate, service organizations should also evaluate whether user needs have changed since the last risk assessment. A change in user needs will require the service organization to re-evaluate the risks for each control area as they relate to the changes that have occurred with the users of the report. Service Organizations should consider establishing a risk assessment oversight committee that reviews overall changes to user needs and risks. The ongoing periodic risk assessment updates should include clear and concise documentation verifying whether any changes to the business climate or user needs occurred during the proceeding period. In the event changes to either the business climate or user needs have occurred, the control owner should re-evaluate the risk and assess whether the associated key controls are designed effectively to address any new risks.
The service organization’s risk assessment will require significant effort and documentation for the service organization. Additionally, the risk assessment process will need to be an ongoing effort performed periodically to ensure that as the business environment and user needs change the risks associated with those changes are being appropriately addressed by the organization’s key controls. If you have any questions about the risk assessment process associated with Service Organization Controls, please feel free to contact McKonly & Asbury Partner, Michael Hoffner.