The audit process can seem daunting, but it doesn’t have to be. When you hire an auditing firm to streamline the audit process, you avoid many of the unknowns that usually plague organizations on their compliance journeys. At KirkpatrickPrice, we use the Online Audit Manager (OAM) to streamline the audit process and give you the assurance you deserve when completing an audit. Whether it’s your very first audit or several that you do annually, the OAM can be a game changer. 

Changing the Game with the Online Audit Manager

The Online Audit Manager is an audit delivery tool that allows KirkpatrickPrice to streamline the audit process for an organization. This online portal guides the user through audit objectives, requirements, and necessary documentation all in one place. Whether your organization has multiple audits or a single audit, the OAM allows you to streamline the audit process and combine the necessary compliance requirements into easily managed tasks.  

With the online portal, you can communicate with the auditor, receive remediation guidance, prepare effectively for your onsite visit, and manage progress in real time. Why would you settle for a complicated, chaotic audit process when you can choose to streamline the audit process? 

The Benefits of Streamlining Your Audit Process

1. Know Where You Are in Your Audit:

One of the greatest benefits when you streamline your audit process is that your organization knows the exact stage of the audit process that you’re in at all times. You don’t need to wonder what is left or if you need to do anything else to fulfill compliance objectives. You can simply log into the Online Audit Manager and check your progress easily by looking at the progress bar. 

2. Save Time:

When you streamline the audit process, you save your organization a great deal of time. What may have taken hours to discuss during an onsite visit, can be reduced drastically through the online portal. The OAM also allows audit questions to automatically map to multiple frameworks, so you don’t have to waste time answering the same question over and over again. With a streamlined audit process, your onsite visit can focus on assessing your physical controls and reviewing documentation as the preliminary data has already been gathered.

3. Reduce Your Audit Costs:

Conducting an audit without the Online Audit Manager leads to wasted time, and with unnecessary time comes unnecessary cost. With other tools on the market, you’re only paying for the tool, not the actual audit where you’ll receive a report you can show off to your clients and competitors. Our online portal is a part of our audit cost, so there is no extra charge for using this platform. By working with a firm that has an innovative tool and is qualified to deliver quality audit reports, your organization reduces the need for extra costs. Quality audits are expensive, but streamlining your audit softens the cost to your organization. 

4. Simplify the Audit Process:

The most important benefit to your organization is that the Online Audit Manager dramatically simplifies the audit process. Completing an audit is a big deal for an organization and any tool that provides clarity and simplification to the process is a tool your organization should use. The Online Audit Manager is the simplifying tool you have been looking for. Because the OAM can handle integrations for automated evidence gathering and 50+ compliance frameworks, you’re able to complete multiple audits within one tool. The days of using multiple tools and multiple firms to remain compliant are over. The Online Audit Manager paired with experts who care will help your audit feel a little less complicated. 

Streamline Your Audit with KirkpatrickPrice 

In many aspects of our lives, we’re looking for simpler, more efficient ways to get work done. Why is the audit process any different? To get the most out of your compliance journey, your organization needs to streamline the audit process. If you have questions about how you can streamline your audit or would like a demo of the Online Audit Manager, connect with a KirkpatrickPrice expert today so you can start accomplishing your compliance goals.   

When you start an audit, you’re looking for a quality experience in a timely manner. One of the biggest aspects of an audit is the onsite visit – but what if an auditing firm that you’re considering working with offers to skip the onsite visit in order to deliver your report faster? What if they say your internal controls don’t require an onsite visit? What if you have an entirely virtual workforce, so you don’t even have a location for an onsite visit? We encourage you to choose  quality over convenience when it comes to choosing an auditing firm, and that decision includes onsite visits versus remote audits. What are the differences between these types of audit experiences? Let’s talk through what a 100% remote audit looks like and the value an onsite visit brings to the audit process.

What is a Remote Audit and Why Do They Fall Short?

A remote audit is an assessment conducted entirely online with no face-to-face interaction with an experienced auditor. Audit firms that engage in 100% remote audits use electronic communication to understand an organization’s internal controls.  No auditor invading your space, no time wasted during an onsite visit, no money spent on auditor travel expenses…sounds convenient, right? At KirkpatrickPrice, we believe that an onsite visit is a priority and necessity for any audit engagement. There are some things that just can’t be learned or understood over the Internet. Remote audits can only reach so far. Where do remote audits miss the mark?

  • Face-to-Face Contact: How can we accurately depict your organization if we’ve never met your staff in-person? How can we get a feel for your company culture if we’ve never step foot in your building? When an auditor issues an opinion, they are putting their name, reputation, and their firm’s reputation on the line – at KirkpatrickPrice, we take that responsibility seriously. On the flip side, why would you trust your organization’s compliance efforts in the hands of a remote auditor who you’ve never met in-person?
  • Quality: High quality audits require attention to detail, accuracy in testing, and a thorough check of an organization’s controls. To reach this level of quality, an organization needs to have an auditor on the ground observing procedures, testing controls, and interviewing employees. Remote audits fail to provide these basic aspects of a quality audit.
  • Longevity: Compliance is a journey that your organization should not have to face alone. During an onsite visit, a senior-level auditor is focused on understanding your organization and where you are non-compliant so you can begin remediation. Remote audits don’t allow for a full understanding of compliance because they can’t physically check all of your requirements and don’t add to the longevity of your organization’s compliance.

At KirkpatrickPrice, we do use the Online Audit Manager to complete about 80% of an audit, but the other 20% of our audit process is an onsite visit for testing and verification. To get the most out of the audit process, you need to go through an onsite visit with your auditor.

What Should You Expect During an Onsite Visit?

Why should an onsite visit be included in the audit process? What can you expect when an auditor steps through your doors? How can you prepare for an onsite visit?

At KirkpatrickPrice, we begin the audit process through the Online Audit Manager to help you prepare as much as possible before the onsite visit. You will work with an Audit Support Professional to explain your controls, answer review questions, and send proper documentation to form a foundation for your onsite visit. When an auditor arrives to physically observe, review, and report on your internal controls, you can rest assured that they are focused on performing high-quality testing and understanding your organization better. An auditor will test physical security, organizational processes, personnel procedures, and any other controls that aren’t able to be tested remotely. The detailed onsite visit will leave your organization with the assurance that you received a quality audit and are headed in the right direction towards compliance.

When it comes to quality, one of the things that I cannot impress upon our clients enough is the importance of the onsite visit with your auditor. When our company started in 2005, we were actually the originator of the remote audit. We developed a tool called the Online Audit Manager that allowed people to work with us remotely, submit evidence, and prepare for their audit. But we never eliminated the reason for the onsite visit, which was to send one of our qualified, experienced auditors into your environment, get to know you personally, work with you and observe your processes so that we can add value and help you address the risks that you face. We never want to see these audits performed 100% remotely because you would miss that very important aspect of it. Our company recently went down to Kennedy Space Center and one of the things that we saw is how our country has been sending missions to Mars. We have the Mars Rover, for example, on that planet taking evidence and performing a site visit, if you will. Why is NASA making every effort to send humans to Mars? They said it’s because humans can do things that robots can’t do. That’s why at KirkpatrickPrice, we believe that it’s so important to have these expert people come and visit you and work with you, because no one else can take their place.

The National Institute of Standards and Technology, NIST, defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud computing is both a transformative and disruptive technology that provides an opportunity to rethink the way organizations fix problems that have been around for a long time. It’s important to recognize the value cloud environments can bring to the table, while also understanding the risk that is coupled with storing data in the cloud.

The assumption that everything is based in the cloud is simply not true. Not only is it inaccurate, it is harmful to an organization to believe an onsite analysis of its security controls is a waste of time. While your data may be stored in the cloud, your physical security processes, onsite technologies, and personnel who process the data are not in the cloud.

Risky Business in the Cloud

The 2019 Cloud Adoption and Risk Report from McAfee reports that 48% of all files in the cloud are eventually shared. The risk that is inevitably born out of cloud computing increases with the amount of sensitive data that is stored. While your organization can work to minimize risk from the inside, the best way to reduce security threats is to have an independent auditor reviewing an organization’s controls onsite.

While some organizations believe an onsite visit for a company that works in the cloud is pointless, at KirkpatrickPrice, we know there are many moving parts to an organization with a cloud environment that need to be reviewed onsite. Although your data may be stored in the cloud, there are security measures that should be in place to protect access to the cloud.

Onsite Security for a Cloud Environment

Physical security practices must be implemented to mitigate the risk that cloud computing brings to an organization’s data. There are physical security processes auditors review during an onsite visit that an organization should be aware of:

  • Employee Operations: How does sensitive data get into the cloud? Who processes the information and manages updates to data? How often do your employees access the data stored in the cloud?
  • Physical Security: Do you have badges, biometric access controls, or security guards that allow access into your organization’s secure areas? Do your employees understand your physical security controls and use them properly?
  • Identification and Authentication: Who has access to the cloud? What multi-factor authentication processes are in place to properly identify personnel with access?

An auditor needs to review and monitor these security controls as they happen on an everyday basis. It’s a necessary component of a high-quality audit to have an auditor onsite during the audit process, especially for an organization that stores data in a cloud environment. Your organization is still susceptible to harm even with a cloud-based system. Don’t let threats have the upper hand on your organization’s data because you think an onsite visit is unnecessary. Let KirkpatrickPrice perform an audit that will leave you assured in your cloud environment’s security.

One of the biggest issues these days is that a company needs to go through an audit, but they’re not willing to bear the expense of an auditor traveling and meeting them in person. The argument that we’re given is, “Well, everything is in the cloud. That’s where our production environment is. There’s nothing to see here, right?” I think ignorance is bliss in that situation. We really like the idea of outsourcing the responsibility to a cloud service provider, but the truth is, everything is not in the cloud. What about your people? What about the processes that you expect your people to follow? What about the locations and the environment that the people work in? What about the data? How did it get into the cloud? Who has access to it? What about the developers and the code they have access to? Wouldn’t you want a qualified, experienced auditor to come inspect your environment and understand how you’re interacting with that cloud service? Last year in the McAfee security report, it talked about how 48% of the files in the cloud are eventually shared. This is one of the primary things we find in our audit. When we come and inspect your processes and what you’re doing, we usually find surprises about where your data resides. Our clients are really appreciative to finally understand how those things are working. Another thing that we find is that you might have some good processes for securely accessing your cloud environment, but sometimes your people will bypass those security controls. They won’t use multi-factor authentication, for example. This is something we want to inspect and work with you on so we can understand the risks that you’re truly facing when you’re interacting with that cloud environment. Be sure to work with a qualified, experienced auditor that’s willing to come and meet you, get to know you, work with you personally, and inspect your environment to identify the risks that you’re actually facing.

In order for an audit to comply with regulations, it must be conducted by an auditor with an independent opinion. What is an independent opinion? It’s an auditor’s unbiased, objective stance towards an organization which leads to an accurate, credible report on an organization’s security and compliance. Any type of information security audit needs to have an independent auditor, but especially in the case of a CPA performing SOC 1 and SOC 2 audits. As a CPA firm, KirkpatrickPrice does not conduct audits for organizations if there are established financial ties, familial relationships, or in any situation where the auditor could not claim complete independence from the organization.

Maintaining independence allows an auditor to gather necessary data without any outside influence on their opinion. An auditor can then maximize the clarity in their report which, in turn, provides your organization with the most precise and true opinion on your controls.

Choosing an Independent Auditor

How does your organization choose an independent auditor that fits your needs? You need an auditor with the high-quality credentials that fit you best. For a SOC 1 or SOC 2 audit, you need to specifically choose a CPA firm that implements practices that ensure independence in every step of the audit. At KirkpatrickPrice, we have auditors with qualifications that ensure their independent opinion. These practices and qualifications include:

  • Annual Independence Check: Once a year, KirkpatrickPrice auditors must confirm their independence towards clients of the company. They review a client list and register whether or not they have any previous ties to the organization. The practice of a yearly independence check confirms an auditor is performing a completely independent audit.
  • Certification: Our senior-level Information Security Specialists hold various high-quality certifications which keep them updated on top practices in the security industry. The expertise founded in certifications such as CompTIA, SANS, ISACA, project management, and Microsoft certifications. These certifications confirm the skills and proficiencies KirkpatrickPrice auditors have to form a qualified independent opinion of your organization.
  • Experience: Auditors at KirkpatrickPrice have an average of 17 years of experience. Our focus on hiring senior-level auditors proves itself valuable in every audit. The years of experience behind each Information Security Specialist gives your organization the assurance needed to trust their independent opinion.

Independence is Key

While there may be many difficult decisions an organization has to make when preparing for an audit, choosing a CPA firm with an independent perspective shouldn’t be one of those. The focus on a wholly independent opinion in an audit is important to the accuracy and validity of the work we perform at KirkpatrickPrice. Independence is one of the building blocks all qualified assessors must maintain. Make sure you finish your audit knowing you chose a certified, reliable firm with independent auditors to conduct your assessment.

The reason you hire a CPA firm to conduct your audit is because an audit should be done from an independent perspective. A Certified Public Accountant is statutorily required to maintain independence in audits. We can’t audit our brother’s company. We can’t audit a company that we have invested in and therefore have some financial incentive in the results of that audit. We have to maintain independence in form, fact, and appearance. This is something very important to understand as you choose your audit firm and as you interact with the auditor who’s working on your audit. We have to have access to the information that we need access to. We have to be able to talk to the people who have an understanding of your controls and your compliance initiatives. The reason this is so important is because when you get that final written report on your audit, it has to be from an authorized and credible resource who has maintained independence throughout.

What is Reasonable Assurance?

The AICPA defines reasonable assurance as a high, but not absolute, level of assurance. In an audit, that means perfection is not the goal because absolute assurance is not obtainable. Instead, auditors use reasonable assurance in their testing to come to a practical conclusion about the details of your organization’s security controls. At KirkpatrickPrice, our Information Security Specialists provide expert audits that focus on accuracy, attention to detail, and skilled efforts to meet standards of reasonable assurance.

During the audit process, our senior-level auditors use three guiding practices to ensure a thorough audit is performed: interview, observe, review. These practices enable our auditors to gain a certain quantity and quality of data in an effort to reach a level of reasonable assurance.

Interview

During the many stages of an audit, the Information Security Specialist designated to an organization will engage in direct discussion through weekly conference calls, our Online Audit Manager, and face-to-face conversations. These discussions focus on gaining understanding of an organization’s internal controls already in place and who is responsible for those controls. The interview portion of an audit allows auditors to gain enough information to form conclusions and gain reasonable assurance.

Observe

When an auditor makes an onsite visit, they walk through internal processes and confirm an organization is implementing the controls gathered by the auditor in previous discussions. The Information Security Specialist observes the practices, physical security safeguards, and personnel procedures that are applied within an organization. The auditor observes a number of controls that allow for a decision to be made on whether the processes meet compliance standards. By observing large quantities of internal controls during an audit, auditors can provide reasonable assurance that their conclusions are accurate and thorough.

Review

Information Security Specialists also analyze documentation provided by an organization during the audit process. This review of policies, procedures, and other physical documentation is an opportunity for an auditor to understand particular processes that are written into an organization’s frameworks. When reviewing, auditors pay close attention to consistencies in policies as well as physical procedures. These detailed reviews help to foster a higher level of assurance. Once an auditor determines a level of reasonable assurance can be met, they can provide proper education and help clients on the road to compliance success.

Whenever you hire a CPA firm to conduct an audit for you, the threshold that we’re trying to meet is something called reasonable assurance. You can’t have absolute assurance in an audit because, in order for something to be absolute, everything would have to be perfect. We would have to see everything at all times. It’s just not practical and no one wants to spend the money it would take to reach absolute assurance, if that’s even possible. Reasonable assurance means that we have met a level of reasonableness in the testing that we performed. Would someone who has equivalent skills and expertise come to the same conclusions that we did? Did we do enough testing in order to gain that level of reasonable assurance? Is our level of effort that we’re asking you to participate in reasonable under the circumstances when you consider the risk that is involved? This is something to really understand when you go into your audit – that you auditor is going to be trying to reach that level that we call reasonable assurance.