cc3.1-4-001

CC3.1 · D4 · f1

Difficulty

Gaps

Red Herrings

63%

Avg Score

Task

You are a SOC 2 auditor evaluating Vertex AI Corp's risk management controls under Trust Services Criteria CC3.1. Review all provided evidence documents to assess whether the organization's risk identification, assessment, and management processes are operating effectively. Evaluate the completeness of risk coverage, timeliness of risk reviews, adequacy of risk treatment, and governance oversight. Identify any gaps or deficiencies, but be careful to distinguish genuine gaps from risks that have been properly managed through formal exception and governance processes.

Evidence

evidence/risk-management-policy.md — Vertex AI Corp risk management policy defining the risk assessment framework, governance structure, risk rating methodology, and treatment requirements
evidence/risk-register.csv — Active risk register with 18 risks including risk ratings, treatment plans, owners, and review dates from the ServiceNow GRC module
evidence/risk-assessment-report-2025.md — 2025 Annual Risk Assessment Report dated March 2025 covering 15 risk categories with findings, treatment summary, and recommendations
evidence/exception-register.csv — Exception register documenting the Board-approved exception for RISK-014 (Critical-rated cross-border data transfer risk acceptance)
evidence/business-impact-analysis.md — Business Impact Analysis summary identifying critical processes and recovery priorities -- related to risk management but focused on BCP/DR rather than the risk assessment process itself [noise]

Findings

ID	Type	Severity	Finding
F-001	red_herring	low	RISK-014 Critical Risk Accepted Without Mitigation RISK-014 (cross-border data transfer non-compliance) is rated Critical (Likelihood 4, Impact 5, Rating 20) with a treatment strategy of 'Accept.' This appears to be an unmitigated Critical risk. Howev...
F-002	gap	high	Three Risks Overdue for Quarterly Review The risk management policy (Section 7.2) requires quarterly review of all risks by their owners. Three risks in the register have not been reviewed within the required quarterly cycle: RISK-008 (Softw...
F-003	gap	high	Two High-Rated Risks Without Assigned Owners The risk management policy (Section 3.2) requires that each identified risk must have a designated Risk Owner responsible for implementing treatment plans, monitoring risk indicators, and reporting st...
F-004	gap	medium	Annual Risk Assessment Missing Supply Chain and AI/ML Risk Categories The 2025 Annual Risk Assessment Report covers 15 risk categories but notably omits two categories that are highly relevant for a company named 'Vertex AI Corp' that develops AI/ML products: (1) AI/ML ...
F-005	gap	medium	Risk Assessment Report Staleness Approaching End of Validity The annual risk assessment was completed in March 2025 and by the end of Q4 2025, the assessment is 9 months old. The policy requires annual risk assessments (Section 4.1, 'typically in Q1'), and the ...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	73%	100%	57%	73%	4/4	7
Opus 4.7	Anthropic	62%	100%	44%	62%	4/4	9
GPT-5.5	OpenAI	50%	75%	38%	50%	3/4	8
GPT-4.1	OpenAI	80%	100%	67%	80%	4/4	6
Haiku 4.5	Anthropic	67%	75%	60%	67%	3/4	5
GPT-4o	OpenAI	44%	50%	40%	44%	2/4	5