Auditing Basics Video Series

Undergoing any kind of audit can be daunting, especially if you’ve never done it before. If you’re new to SOC 1 or SOC 2 audits, there’s critical pieces of information that you need to know before your engagement starts. But that’s where this video series can help. In the following videos, our President, Joseph Kirkpatrick, will walk you through auditing basics, including high-level overviews of SOC 1 and SOC 2 audits, as well as more in-depth information about what to expect during the audit process, how to use your SOC 1 and SOC 2 audit reports, and more. Watch our Auditing Basics video series now to learn how you can protect your organization against the ever-changing threat landscape and to find out how you can get the most out of your audit engagements with KirkpatrickPrice.

Featured Episode:

5 Components of Internal Control

5 Components of Internal Control

When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. In order for an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components of internal control in place and functioning, and implement the 17 principles related to internal control outlined in the framework. While we’ve already covered how organizations can meet the three objectives of internal control, let’s take a look at the five components of COSO and what they mean for SOC 1 compliance.

3 Objectives of COSO

3 Objectives of COSO

/
If you’re new to the SOC 1 audit process, you might be wondering what framework is used to evaluate the effectiveness of internal controls. This would be the Committee of Sponsoring Organizations of the Treadway Commission, or COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. It outlines three objectives, five components of internal control, and 17 principles related to internal control that organizations must meet to demonstrate compliance. When undergoing a SOC 1 audit then, organizations should strive to meet COSO’s three objectives for internal control: operations, reporting, and compliance. Let’s take a look at what those are and how they could impact your SOC 1 compliance journey.
What is a SOC 1 Report?

What is a SOC 1 Report?

/
Once you’ve made it through the evidence gathering portion of the SOC 1 audit process, our specialized team of professional writers will take the information gathered by our auditors and provided by you in our Online Audit Manager to create a final SOC 1 report. What is a SOC 1 report? It is a report that is based on the Statement on Standards for Attestation Engagements Number 18, Section 320 (SSAE 18) and reports on the effectiveness of your internal controls that may be relevant to your client’s internal controls over financial reporting (ICFR). What’s included in this report? How do you use a SOC 1 report? Let’s find out.
Explaining Audit Periods

Explaining Audit Periods

/
While SOC 1 Type I audit engagements evaluate a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) at a specific point in time, a SOC 1 Type II audit evaluates a service organization’s internal controls that could impact their user organizations’ internal control over financial reporting (ICFR) over a period of time, usually between six and twelve months. How do go about choosing your audit period? There are a few things you need to know.
Will I Pass or Fail the SOC 1 Audit?

Will I Pass or Fail the SOC 1 Audit?

/
If your organization is making the investment in information security audits, it’s understandable to question whether or not you will pass or fail the audit. After all, many organizations pursue compliance because they have something at stake, like a new client or big product launch, and if they do not pass the audit, there could be severe consequences. However, there’s good news when it comes to SOC 1 audits: the framework is build on the SSAE 18, a standard that is not based on a pass or fail model. Instead, your SOC 1 compliance is determined based on reasonable assurance. What exactly does that mean? Let’s take a look.
Do I Need a SOC 1 Type I or a SOC 1 Type II?

Do I Need a SOC 1 Type I or a SOC 1 Type II?

/
If you’ve been asked to demonstrate SOC 1 compliance, you’ll need to determine what exactly is being asked of you. For example, do you need a SOC 1 Type I or SOC 1 Type II audit? Do you need both? Let’s take a look at the difference between a SOC 1 Type I and SOC 1 Type II audit and how you can determine which is most suitable for your organization’s compliance efforts.
What is a SOC 1 Audit? What are the benefits of becoming SOC 1 compliant?

What is a SOC 1 Audit?

/
If your organization has the ability to impact your customers’ internal controls over financial reporting (ICFR), then you’re likely to be asked by those customers to undergo a SOC 1 audit. But what exactly is a SOC 1 audit? Let's discuss.
What's The Difference Between SOC 1 Type I and SOC 1 Type II?

The Difference Between SOC 1 Type I and SOC 1 Type II

/
When you begin thinking about pursuing SOC 1 compliance, you’ll have the option of choosing a Type I or Type II audit. While both of these audits assess a service organization’s controls and processes that may impact their clients’ internal control over financial reporting (ICFR), the biggest difference between the two types of audits is the audit period. Let's discuss.
Auditing Basics: How Does Sampling Work?

Auditing Basics: How Does Sampling Work?

/
Why is Sampling Used During an Audit? When an organization undergoes an audit, there’s often a large amount of internal controls that an auditor has to review. However, to make this process more efficient, auditors are likely to use sampling whenever the population being tested is uniform and there’s standards that are applied across the board.
Auditing Basics: Auditor's Test of Controls

Auditing Basics: Auditor's Test of Controls

/
How Do Auditors Perform Tests of Controls? In order for an audit firm to be able to provide reasonable assurance and issue an opinion on an organization’s compliance with SOC 1 or SOC 2 audits, they have to test the internal controls that each organization has in place and verify that they are working as intended. To do this, auditors typically perform three types of tests of controls: interviews, reviews, and observations.
Auditing Basics: What is Scope?

Auditing Basics: What is Scope?

/
Knowing where your assets reside is critical for any organization. Why? Because knowing where your assets reside and which controls apply to them is the only way you can manage and secure them from a potential data breach or security incident. During the initial phases of a SOC 1 or SOC 2 audit, an auditor will walk you through defining the scope of your audit. But what exactly does that entail? The scope of your audit sets boundaries for the assessment. It requires organizations to identify the people, locations, policies and procedures, and technologies that interact with, or could otherwise impact, the security of the information being protected.
Auditing Basics: Audit Risk, Control Risk, and Detection Risk

Auditing Basics: Audit Risk, Control Risk, and Detection Risk

/
SOC 1 and SOC 2 audits are largely impacted by various types of risk. During a SOC 1 and SOC 2 audit, an auditor will be focused on limiting the following types of risk: audit risk, control risk, and detection risk. So, how are those risks different? How to they affect an auditor while performing SOC 1 or SOC 2 audits? Let’s discuss.
Auditing Basics: Carve-Out vs. Inclusive Vendors

Auditing Basics: Carve-Out vs. Inclusive Vendors

/
During the initial scoping phases of an organization’s audit engagement, your auditor will partner with you to help you narrow down the third-party vendors to be included in your engagement. In order to ensure that your organization’s security posture is and remains strong, you need to consider the impact that the third-party vendors you’ve entrusted sensitive data with could have on your organization. This means that you’ll need to be able to list who your third-party vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Knowing this information will help you determine whether or not you need to carve them out of your audit or include them. What’s the difference between carving out or including third-party vendors in an audit? Let’s take a look.
Auditing Basics: What is a Gap Analysis?

Auditing Basics: What is a Gap Analysis?

/
If it’s your first time pursuing compliance for any framework - whether it’s SOC 1, SOC 2, PCI DSS, HIPAA, GDPR, etc. – we strongly recommend beginning your engagement with a gap analysis. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their audit, which means that we don’t want you to fail due to lack of preparation. That’s why our gap analysis service is specifically designed to help you prepare for the audit so that you can meet your compliance goals. How does the gap analysis process work? Organizations will be partnered with an Information Security Specialists and an Audit Support Professional to identify any operational, reporting, and compliance gaps and will then offer advice on strategies for remediation. Ultimately, gap analyses ask and answer, “How are we doing compared to what regulations require?”
Auditing Basics: What are Control Objectives?

Auditing Basics: What are Control Objectives?

/
Control objectives are statements that address how risk is going to be effectively managed by an organization, and your auditor will be validating whether or not your organization meets these control objectives during a SOC 1 or SOC 2 audit. The AICPA requires that the description of the service organization's systems includes specific control objectives and controls designed to achieve those objectives, and control objectives are typically presented in a matrix format.
Auditing Basics: What is an Assertion?

Auditing Basics: What is an Assertion?

/
At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management's written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate. For an auditor to be able to perform a SOC 1 or SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management's written assertion.

Never miss a beat. Get KirkpatrickPrice video updates.