A service organization should identify the risks that threaten the achievement of control objectives (ref. ISAE3402.13 sub iv). The service auditor should evaluate the linkage of the controls identified in the service organization with the risks identified. The process for identifying risks may be formal or informal. A thoughtfull identification of controls might comprise an informal process for identifying risks (ref. ISAE3402.A10)
In the original SAS70-standard a reference was made to the COSO risk management framework. In the ISAE3402 a specific reference to the COSO framework is not made.In the ISAE3402-framework references are made to event identification, risk analysis, information providing, the control framework and monitoring. Indirectly a reference is made to the COSO ERM framework. The foundation for Corporate Governance advices to apply the COSO ERM framework as best practive for ISAE3402.