The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
1) Create a risk assessment policy and related procedures that outlines the organization's risk assessment approach and publish on the company intranet for employees to access and review.
2) Inspect the most recent risk assessment to determine that a formal risk assessment is performed on an annual basis. Risks (including Fraud Risk) that are identified should be rated using a risk evaluation process and should be formally documented, along with mitigation strategies, for management review, and vulnerabilities and risks identified by the vulnerability assessment should be assessed and reviewed by the security and compliance group.
3) Inspect the most recent risk assessment to determine that assigned risk owners selected and developed control activities to mitigate the risks identified during the annual risk assessment process.
Related Documents:
1) Risk assessment policy
2) Sample of recent business risk assessments
The following points of focus highlight important characteristics related to this criterion:
1) Integrates With Risk Assessment—Control activities help ensure that risk responses that address and mitigate risks are carried out.
2) Considers Entity-Specific Factors—Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.
3) Determines Relevant Business Processes—Management determines which relevant business processes require control activities.
4) Evaluates a Mix of Control Activity Types—Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.
5) Considers at What Level Activities Are Applied—Management considers control activities at various levels in the entity.
6) Addresses Segregation of Duties—Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities.
Article ID: 230
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-developing-control-activities-principle-10-cc5-1-230.html