Formal Risk Assessment Before Our SOC 1?
Do we have to go through a formal risk assessment before our SOC 1?
No, a formal or informal process for identifying relevant risks can be completed (ref paragraph .A18). Per the Standard:
“Because control objectives relate to the risks that controls seek to mitigate, … management’s thoughtful identification of the control objectives when designing, implementing, and documenting the service organization’s system may itself comprise an informal process for identifying relevant risks.”
The system description (narrative or body of the SOC report) will include a description of the risk assessment process at the service organization. Although the SOC 1 does not require a formal risk assessment process to be completed, other compliance, attestation, and certification initiatives may require a more formal risk assessment process to be performed, and management should take this into consideration when deciding the scope and formality of their risk assessment process.