Risk Register

A risk register is the canonical inventory of identified risks to a service organization, typically maintained as a structured table or database. Each entry includes a risk description, the threat or vulnerability source, likelihood and impact ratings, the resulting inherent risk score, existing controls that mitigate the risk, residual risk after controls, the assigned risk owner, the treatment decision (accept, mitigate, transfer, or avoid), and remediation timelines where mitigation is selected. SOC 2 audits expect the register to be reviewed and updated at least annually as part of the formal risk assessment process and more frequently when significant changes occur in the business or threat landscape. The register feeds vendor risk management, audit scope decisions, and security program prioritization. Auditors test the register by sampling entries and verifying the documented controls are in place, reviewing treatment decisions for reasonableness, and confirming high-risk items have appropriate ownership and timelines. SimpleAudit maintains a risk register that updates automatically as new gaps are identified through continuous assessment.