cc33.md

SOC2 - CC3.3

COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives

Considers Various Types of Fraud

The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur

Assesses Incentives and Pressures

The assessment of fraud risks considers incentives and pressures

Assesses Opportunities

The assessment of fraud risk considers opportunities for unauthorized acquisition,use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts

Assesses Attitudes and Rationalizations

The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions

Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Risks Related to the Use of IT and Access to Information

The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.

Mapped SCF controls

• RSK-06.1 - Risk Response
• THR-01 - Threat Intelligence Program
• THR-02 - Indicators of Exposure (IOE)
• THR-04 - Insider Threat Program
• TPM-01 - Third-Party Management
• TPM-03.1 - Acquisition Strategies, Tools & Methods
• TPM-04 - Third-Party Services
• TPM-04.3 - Conflict of Interests