Skip to Content

SOC 2 Assessment of Risks (Principle 6) (CC3.1)

224  Matthew Burdick September 26, 2022  Risk Assessment

Overview:
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.


Action Items:
1) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
2) Inquire of the senior manager compliance, or equivalent, regarding strategy meeting to determine that management holds an annual company-wide strategy meeting that discusses and aligns internal control responsibilities, performance measures and incentives with company business objectives.
3) Inspect the most recent strategy meeting minute notes to determine that management formally documents an organization strategy and performance policy and updates it on an annual basis to align internal control responsibilities, performance measures and incentives with company business objectives.
4) Inspect the meeting minutes from the most recent annual company-wide strategy meeting to determine that management holds an annual company-wide strategy meeting that discusses and aligns internal control responsibilities, performance measures and incentives with company business objectives.
5) Inspect the policy describing the risk assessment approach to determine that the entity documents relevant operations, reporting, and compliance objectives that are in line with the mission of the organization.


Related Documents:
1) Risk assessment policy
2) Board of directors strategy meeting minutes
3) Company-wide strategy meeting minutes

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Reflects Management's Choices—Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity.
2) Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of operations objectives.
3) Includes Operations and Financial Performance Goals—The organization reflects the desired level of operations and financial performance for the entity within operations objectives.
4) Forms a Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
5) Complies With Applicable Accounting Standards—Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
6) Considers Materiality—Management considers materiality in financial statement presentation.
7) Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.
8) Complies With Externally Established Frameworks— Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.
9) Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.
10) Reflects Entity Activities—External reporting reflects the underlying transactions and events within a range of acceptable limits.
11) Reflects Management's Choices—Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity.
12) Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
13) Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.
14) Reflects External Laws and Regulations—Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives.
15) Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of operations objectives.
16) Establishes Sub-objectives to Support Objectives—Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity's objectives related to reporting, operations, and compliance.
Not Rated
Secure Code