A gap analysis is designed to prepare organizations for an audit. If it’s your first time going through an audit (SOC 1, SOC 2, PCI, HIPAA, HITRUST CSF, etc.), KirkpatrickPrice strongly recommends a gap analysis. This is a process of discovery, a chance to find areas of weakness, and an opportunity to gain industry insight. A gap analysis is not an audit. This process will examine your internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. A gap analysis is an efficient way to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

Through a virtual or onsite gap analysis, one of our experienced, senior-level auditors will spend time with your team and review policies and procedures, perform interviews of responsible personnel, and create a gap analysis report. If a gap analysis is performed, KirkpatrickPrice will document identified gaps and recommended actions in our Online Audit Manager and provide the raw findings. After an organization has remedied the non-compliant findings, KirkpatrickPrice will continue with the audit.

If it’s your first time going through an audit of a specific framework, let us be your guide. Contact us today for more information on the value of gap analysis and what KirkpatrickPrice’s process is.

One of the things that we offer to assist organizations in the beginning of their SOC 1 audit is a gap analysis. One of our experienced, senior-level auditors will come to your facility and spend time with you to review your policies, procedures, and practices, interview your staff, and quickly identify any gaps that must be addressed in order to proceed with the audit. Our firm provides audit services worldwide, so no matter where you are, this gap analysis can be a very valuable way to quickly analyze what you have in place and what you need to have in place in order to complete a SOC 1 audit.

What are Control Objectives and How are They Used in a SOC 1 Audit Report?

A key aspect of a SOC 1 audit report is the concept of control objectives. Control objectives are a series of statements that address how risk is going to be effectively mitigated. According to the PCAOB, “A control objective provides a specific target against which to evaluate the effectiveness of controls. A control objective for internal control over financial reporting generally relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance that a misstatement or omission in that relevant assertion is prevented or detected by controls on a timely basis.”

How Do You Determine Control Objectives?

There are typically 10 to 30 control objectives in a SOC 1 report, which an auditor will help you design. When scoping a SOC 1 engagement, you can create and organize a complete set of control objectives. One exercise to try is asking management to list all of the key services or activities that you, the service organization, provide to user organizations. This can help you tailor control objectives to exactly what activities you perform.

Let’s say your control objective is, “Our controls provide reasonable assurance that we restrict unauthorized access to our critical systems.” In order to achieve this control objective, your organization should implement controls in place such as locked doors, badges, monitoring systems, and logical access controls, which all restrict unauthorized access to critical systems.

If it’s your first time having a SOC 1 audit performed, we strongly recommend starting with a gap analysis of your organization’s internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. If you have questions about SOC 1 audits or want help demonstrating to your clients your commitment to security and compliance, contact us today.

More SOC 1 Resources

Top 10 Things to Prepare You for Your SOC 1 Audit 

Everything You Need to Know About SOC 1 Audits 

3 Reasons to Stop Hesitating and Complete Your SOC 1 Audit 

Part of the terminology that you will see over and over in your SOC 1 report is the concept of control objectives. The auditor will assist you in writing your control objectives. This is what you’re trying to achieve with the implementation of control.

Let me give you an example: our controls provide reasonable assurance that we restrict unauthorized access to our critical systems. You put into place controls such as locked doors, badges, monitoring systems, logical access controls. These controls have been put into place and have been designed to achieve the control objective, which is to restrict unauthorized access.

There are typically 10 to 30 objectives in a SOC 1 report, on average. These would be determined by what you do as an organization. So, our auditors would assist you in designing the way in which those control objectives are written, because those would be key parts in the SOC 1 report.

What is an Assertion?

One of the things that management must provide to the auditor as part of a SOC 1 engagement is an assertion. What does that mean? What is an assertion?

In our everyday life, an assertion is a confident statement of fact or belief. In the world of auditing, assertions are still confident statements of fact or belief, but with a twist. Assertions are claims made by management regarding certain aspects of their business. An assertion is comprised of management’s description of the system that you’re providing as a service to your clients. This assertion will provide a detailed description of how the system is designed and operating, and the auditor must determine if this is fairly presented in the audit report. For a SOC 1 audit, assertions are related to a company’s financial statements.

Types of Assertions

Auditors rely upon a variety of assertions regarding a company. Assertions will fall into one of the following categories:

  • Assertions Related to Transactions – This type of assertion could be related to the occurrence of a transaction, the completeness of transactions, the accuracy in recording transactions, the cut-off date of accounting periods, and the classification of transactions.
  • Assertions Related to Account Balances – Assertions of this type focus on assets, liabilities, and equity balances at the end of a period. These assertions will be related to the existence of assets, liabilities, and equity balances at the end of a period, the completeness of the recording account balances in financial statements, the rights and obligations of the entity, and the valuation of assets, liabilities, and equity balances.
  • Assertions Related to Presentation and Disclosures – Assertions in this category highlight how information like transactions, balances, and other events are presented within financial statements. Assertions will relate to the occurrence of transactions and events disclosed in financial statements, the completeness of transactions and events disclosed in financial statements, the classification and understandability of transactions and events disclosed in financial statements, and the accuracy and valuation of transactions and events disclosed in financial statements.

Testing Assertions

Assertions must be validated by auditors during a SOC 1 engagement. If an assertion states that the salaries and wages of all employees have been accounted for, then an auditor will test to ensure this. Reviewing documentation is a major part of an auditor’s testing. An auditor, for example, might follow your organization’s procedure for checking the occurrence of transactions. If the result of the procedure doesn’t match the assertion, this is an issue.

More questions about SOC 1 audits? Want help demonstrate to your clients your commitment to security and compliance? Contact us today.

One of the things that management must provide to the auditor as part of a SOC 1 engagement is an assertion. The assertion is comprised of management’s description of the system that you’re providing as a service to your clients. This assertion will provide a detailed description of how the system is designed and operating, and the auditor must determine if this is fairly presented in the audit report.

Organizations put valuable resources into completing SOC 1 audits: time, money, people, technology, and more. We know that often times, a SOC 1 audit can make it or break it for our clients’ business and we don’t take that lightly. When someone asks us, “Will I pass a SOC 1 audit? What if I fail the audit? What happens if I fail?”, we want to give them the best explanation we can in regards to reasonable assurance.

Reasonable Assurance Explained for SOC 1 Audits

When explaining reasonable assurance, there’s one important lesson to understand: SOC 1 audits do not work on a pass/fail system. The purpose of a SOC 1 report is to provide user entities reasonable assurance that their controls relevant to internal controls over financial reporting (ICFR) are suitably designed and operating effectively. Instead of passing or failing your organization, an auditor will issue a qualified or unqualified opinion. Understanding reasonable assurance changes your mindset from, “What if I fail the audit? Will I pass the audit?” to “How would an auditor assess these controls?”

If an auditor determines that a control was not in place or effective, then a qualified opinion would be issued. This would sound something like, “Except for Control X, reasonable assurance is there. The controls have been suitably designed and operating effectively.” An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined.

Understanding the concept of reasonable assurance can help you approach SOC 1 audits in a healthy way. Instead of asking, “Will I pass a SOC 1 audit? What if I fail the audit?”, you can look at your organization’s controls and ask, “Would an auditor see that these controls are suitably designed? Are they operating effectively? Would we achieve reasonable assurance?”

If it’s your first time having a SOC 1 audit performed, we strongly recommend starting with a gap analysis of your organization’s internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. If you have questions about SOC 1 audits or want help demonstrating to your clients your commitment to security and compliance, contact us today.

One of the questions that we get all the time is: will I be able to pass the audit? What if I fail the audit? The SSAE 16 (now SSAE 18) does not work on a pass/fail system. It works on a threshold of reasonable assurance. The auditor will issue an opinion about whether or not the controls are suitably designed and operating effectively during a period of time.

An unqualified opinion means that there are no qualifications or opinions being issued and reasonable assurance has been determined. Whereas a qualified opinion would be an opinion where there are some qualifications to that opinion. For example, “Except for this or that, reasonable assurance is there. The controls have been suitably designed and are operating effectively.”

Understanding the concept of reasonable assurance is good way to approach your audit so that you can understand if an auditor can achieve reasonable assurance when they look at your controls and determine if they’re operating effectively.

When considering having a SOC 1 audit performed, there are two different report options available. Knowing whether you need a SOC 1 Type I or a SOC 1 Type II report will depend on your client’s needs and timing constraints.

What’s the difference between a SOC 1 Type I and a SOC 1 Type II report?

A SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. The main difference to note is that a SOC 1 Type I report is an attestation of controls at a service organization at a specific point in time, whereas a SOC 1 Type II report audits controls at a service organization over a period of time (minimum six-month period) in order to attest to the operating effectiveness of the controls.

Do I need a SOC 1 Type I or a SOC 1 Type II Report?

If your client has requested a SOC 1 report from you but doesn’t require a specific type, how do you determine whether you need a SOC 1 Type I or a SOC 1 Type II report? If it’s your first time going through a SOC 1 audit, we commonly advise clients to begin with a Type I and then move to a Type II the following audit period. SOC 1 Type I reports are less constraining than a SOC 1 Type II report. SOC 1 Type I reports also give you the opportunity to work with your auditor on designing controls and ensuring that the description of controls would be fair and accurate in the report.

If you’re required to receive a SOC 1 Type II report, additional testing is necessary to determine that the controls are not only in place, but also operating effectively over a period of time. SOC 1 Type II audits take more time to conduct because you’re looking at controls over a period of time.

It’s important to consider these factors, client needs, and timing constraints, when trying to decide if you need a SOC 1 Type I or a SOC 1 Type II report. If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, contact us today.

The type of report that you should receive for your SSAE 16 (now SSAE 18), many times is determined by what your client is asking you to do. Sometimes your request from your client will be an SSAE 18 report, period. There are two types of reports. There’s a Type I and a Type II. If you’ve never done an SSAE 18 report before, it’s a good idea to begin in the first year with a Type I report. If your client is not requiring you to constrain to the Type II report, a Type I report gives you the opportunity to work with the auditor on designing your controls and ensuring that the description of your controls would be fair and accurate in the report. That’s the threshold for a Type I report.

If they are requesting you to do a Type II report, there is additional testing that must take place from the auditor in order to determine that the controls are not only in place, but also operating effectively over a period of time. A Type I is a good place to start because you’re able to address the design and description of the controls as of a certain date, whereas a Type II report takes a little bit more time to conduct because you have to look at those controls having been in place over a period of time. Please consider those factors as you determine if you need a Type I or Type II SSAE 18 report.