One of my final initiatives prior to leaving public accounting and entering my new role in risk management was helping organizations prepare for the changes introduced by AICPA in the SSAE 18 audit standard, which went into effect in May 2017. One of those changes was the requirement for service organizations to implement a formal risk assessment process and include a description of this process in SOC reports (the assurance reports for specific services such as payroll processing or claims adjudication).
Although organizations had the option to include a description of their risk assessment processes in SOC reports prior to the SSAE 18 standard, the descriptions were high level and could include “informal” risk assessments. SSAE 18 requires a formal risk assessment process which according to the AICPA, “may include estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address them.” However, the approach used to perform the risk assessment is left to the discretion of the organization.
At a high level, there are two different types of approaches to risk assessments, qualitative and quantitative (for some background, see my blog post Qualitative vs. Quantitative Risk Analysis Explained in 90 Seconds). But I'd argue that a quantitative approach gets you more defensible, objective and overall useful results.
Here are a few benefits that quantification for risk assessments using the FAIR model can bring organizations issuing SOC reports:
- Enhances defensibility: Mapping key risks to control objectives is a critical requirement of service organizations in SOC reporting as it helps to define the controls that are included in the report that are examined by the external auditors issuing the report (i.e., service auditors). Therefore, it is important to have defensible data from your risk analyses to support the rationale for the identified controls to help mitigate these key risks. Quantifying risk in financial terms using a model such as FAIR can help to add rigor and enhance the defensibility to the resulting risks identified that map to control objectives in the SOC report. This approach can also encourage the adoption of a risk-based approach to the organization’s control environment, which can help to potentially reduce investments in controls in lower risk areas.
- Promotes objectivity and reliability: The quality of a service organization’s risk assessment process may also influence the nature, timing and extent of audit procedures. Therefore, it’s important that the results of the risk assessment are reliable. The more the auditors can rely on the supporting documentation, the less time and energy will be spent evaluating it. Quantifying risk in financial terms introduces a greater degree of objectivity in risk analysis which, in turn, can increase the extent to which the service auditor can rely on this information.
- Builds trust: Regardless of the type of SOC report being issued, the underlying objective of these reports is to instill trust in the service organization. User organizations are more likely to trust service organizations with their data if they know the service organizations have sufficient controls in place over their environment. Since user organizations will now have transparency into the risk assessment process via SOC reports, knowing that the service organization has taken a quantified approach to risk management may increase the confidence that the service organization has taken the appropriate steps to manage their highest risks and allocate the appropriate controls to mitigate those risks.
- May reduce audit fatigue: Having clearly documented rationale to support the risk assessment process can also help to reduce time and energy spent with service auditors, leading to less money spent on audit activities and more time that can be allocated toward revenue generating activities. Quantifying risk in financial terms using the FAIR model enable organizations to clearly document their rationale and identify the data sources feeding into their risk analysis. SOC 2 reports are also by nature designed to replace many of the typical questions found in a SIG, so by demonstrating the use of a quantified approach to risk management, may instill confidence in the service organization’s risk management program and decrease the number of questions asked by the user organization.
Finally, the FAIR model is also designed to complement risk management frameworks, including NIST CSF, by providing the means to effectively evaluate the significance of those issues, in economic terms (versus more common ordinal measurements). For more, see this blog post by FAIR creator Jack Jones: NIST, CSF and FAIR.
