Overview:
The entity identifies and assesses changes that could significantly impact the system of internal control.
Action Items:
1) Create a vendor management policy and related procedures and publish to the company intranet for employees to access.
2) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
3) Inspect the information security and legal company tracking documents to determine that the entity’s information technology security group monitors the security impact of emerging technologies and the impact of changes to applicable laws or regulations are considered by senior management.
4) Inspect the most recent risk assessment to determine that a formal risk assessment is performed on an annual basis that considered the impact of changes to the system, and that risks are identified and rated using a risk evaluation process that accounts for changes in risk from the prior year, and are formally documented, along with mitigation strategies, for management review.
5) Inspect the ISMS security and compliance calendar and the company information security management system dashboard to determine that the compliance team reviews changes to vendors along with their completed audit reports during the review period and on at least an annual basis and determines the impact of any changes in relation to the organization’s objectives and the impact to internal control.
6) Inspect the ISMS dashboard to determine that recurring service level assessments are performed by the compliance team and that these assessments include evaluation of the operation of key controls and are reviewed at monthly departmental meeting and require the development of corrective action plans for control weaknesses.
7) Inspect the most recent risk assessment and risk assessment treatment policy to determine that the risk assessment process considers significant changes to the internal and external environments.
Related Documents:
1) Vendor management policy
2) Risk assessment policy
3) Information security and legal company tracking documents
4) Sample of recent business risk assessments
5) Documented vendor review reports
6) Documented internal service level assessments
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Assesses Changes in the External Environment—The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.
2) Assesses Changes in the Business Model—The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.
3) Assesses Changes in Leadership—The entity considers changes in management and respective attitudes and philosophies on the system of internal control.
4) Assess Changes in Systems and Technology—The risk identification process considers changes arising from changes in the entity's systems and changes in the technology environment.
5) Assess Changes in Vendor and Business Partner Relationships—The risk identification process considers changes in vendor and business partner relationships.
Article ID: 227
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-assessment-of-changes-principle-9-cc3-4-227.html