Overview – Trust Services Criteria
COSO’s CC3.2 for the component Risk Assessment requires the following “Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
Points of Focus
Below are the points of focus and any related mappings to other frameworks and standards.
| Description | Mapping to other frameworks and standards |
| Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. | · NIST CSF – ID.RA-1 – Asset vulnerabilities are identified and documented · NIST CSF – ID.RA-2 – Cyber threat intelligence and vulnerability information is received from information sharing forums and sources |
| Analyzes Internal and External Factors — Risk identification considers both internal and external factors and their impact on the achievement of objectives. | · NIST CSF – ID.RA-1 – Asset vulnerabilities are identified and documented · NIST CSF – ID.RA-2 – Cyber threat intelligence and vulnerability information is received from information sharing forums and sources · NIST CSF – ID.RA-3 – Threats, both internal and external, are identified and documented · NIST CSF – ID.RA-5 – Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
| Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. | |
| Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes estimating the potential significance of the risk. | NIST CSF – ID.RA-4 – Potential business impacts and likelihoods are identified |
| Determines How to Respond to Risks — Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. | NIST CSF – ID.RA-6 – Risk responses are identified and prioritized |
| Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities — The entity’s risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets. | · NIST CSF – ID.AM-1 – Physical devices and systems within the organization are inventoried · NIST CSF – ID.AM-2 – Software platforms and applications within the organization are inventoried · NIST CSF – ID.AM-3 – Organizational communication and data flows are mapped · NIST CSF – ID.AM-4 – External information systems are catalogued · NIST CSF – ID.AM-5 – Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value |
| Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity’s risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity’s information systems. | |
| Considers the Significance of the Risk — The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. |
What is the COSO Framework?
COSO means the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative of five private sector organizations and provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
Source: https://us.aicpa.org/interestareas/businessindustryandgovernment/resources/riskmanagmentandinternalcontrol/coso-integrated-framework-project
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework.
The COSO Internal Control Framework is a comprehensive model comprising of the following five (5) integrated Components supported by seventeen (17) Principles. Below are the five (5) Components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Source: https://www.auditboard.com/blog/difference-between-coso-and-sox/
Internal Control Categories
The COSO framework divides internal control objectives into three (3) categories: Operations, Reporting and Compliance.
- Operations objectives, such as performance goals and securing the organization’s assets against fraud, focus on the effectiveness and efficiency of your business operations.
- Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization’s reporting habits.
- Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.
Source: https://www.i-sight.com/resources/coso-framework-what-it-is-and-how-to-use-it/