When a quality audit is performed by KirkpatrickPrice, there are many qualified experts behind the scenes completing the documentation review, project management, onsite visit, remediation efforts, report writing, and quality assurance. These security professionals work to provide the best assurance service possible to your organization. How exactly can you finish your audit process feeling assured and secure? You need to make sure you aren’t settling for anything less than a high quality audit.

The Professionals Behind a Quality Audit

At KirkpatrickPrice, we believe that it is our responsibility to provide a quality audit, performed by an expert Information Security Professional, in an appropriate timeline. To meet that goal, we have the following personnel working on each assurance engagement:

  • Audit Security Professional: From the first call you have with an Audit Support Professional, you can expect a well-informed and thorough experience.
  • Information Security Professional: The Information Security Professional assigned to complete your audit is a senior-level auditor with security certifications that speak the expertise of our firm.
  • Quality Assurance Expert: Our Quality Assurance team reviews testing results from our auditors to ensure detailed and accurate information has been gathered.
  • Professional Writer: The Professional Writers who assemble your report condense the audit information and test results into one document that is delivered directly into your hands.
  • Marketing Specialist: When you have completed your audit, our specialized Marketing Team presents your organization with a complimentary press kit to help you assure your clients, update your shareholders, and stand out among industry leaders.

Why do we do all this? To make sure each of our clients receives a quality audit.

Assurance KirkpatrickPrice Can Provide

The assurance you’re looking for when you begin an audit is an assurance only a high-quality auditing firm can provide. KirkpatrickPrice’s motto, “We Make Sure,” is evidence of our goal is to help you understand your internal controls and the security standards you are expected to meet. By the end of an audit process, you should be able to determine your level of compliance, understand the details of your security practices, and continue working to close any gaps within your organization.

Assurance gives your clients peace of mind. It provides you with the necessary tools to maintain compliance. It gives your shareholders something to lean on to prove the quality of your organization. When you choose KirkpatrickPrice, you’re choosing a higher level of assurance.

The Kirkpatrick family motto is “I make sure.” When I was a child, I didn’t exactly understand what that meant, but after we got into this business of assurance, I started to see how it relates to exactly what we do in our audits. Whenever we complete an audit, our clients are always asking us, “How did we do? Are we the worst you’ve ever seen? How do we compare against all of our peers that are out there? Are we meeting the standards that are expected of us?” That’s what a good audit should do. It should bring you a level of assurance so that you can understand that the controls you’ve designed and put into place are working the way that you intended them to work. It also tells you whether or not you’re meeting your compliance goals. A good audit also provides a level of assurance to your third parties, clients, and other stakeholders who want to know from a independent third-party source that there’s assurance you’re meeting the goals and you’re meeting the standards that they expect of you. That’s what a written report in your hand does for you at the end of the audit. It provides that assurance. You want to make sure that you’re working with an audit firm that makes sure.

SOC 1 and the COSO Framework

If you’re new to the SOC 1 audit process, you might be wondering what framework is used to evaluate the effectiveness of internal controls. This would be the Committee of Sponsoring Organizations of the Treadway Commission, or COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. It outlines three objectives, five components of internal control, and 17 principles related to internal control that organizations must meet to demonstrate compliance.

When undergoing a SOC 1 audit then, organizations should strive to meet COSO’s three objectives for internal control: operations, reporting, and compliance. Let’s take a look at what those are and how they could impact your SOC 1 compliance journey.

How Do the 3 Objectives of COSO Impact a SOC 1 Audit?

Because a SOC 1 audit places a large emphasis on the concept of internal control, meeting the three objectives of COSO is especially important. To do so, consider the following questions:

  1. Operations: Are the controls that you’ve put into place operating effectively so that you can be certain about the ways that your operations are running the ways you’re expecting them to perform?
  2. Reporting: What types of reports do you provide to your clients? What is it that they rely upon from you to verify that your services are operating the way they expect them to operate?
  3. Compliance: What laws and regulations apply to the services that you’re performing so that your clients can rely on your services and be in compliance as well?

Want to get started on your SOC 1 compliance journey? Learn more about the COSO Internal Control – Integrated Framework and how you can meet the three objectives of COSO. Contact us today.

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

A SOC 1 audit focuses quite a bit on the concept of internal control. There’s a publication out there from COSO known as the Internal Control Framework, and there are three objectives that you are striving for internal control. The first one has to deal with operations. Are the controls that you’ve put into place operating effectively so that you can be certain about the ways that your operations are running and the ways you’re expecting them to perform? The second one is reporting. What types of reports do you provide to your clients? What is it that they rely upon from you to verify that your services are operating the way they expect them to operate? The third objective is compliance. What laws and regulations apply to the services that you’re performing so that your clients can rely on your services and be in compliance as well?

[/av_toggle]

[/av_toggle_container]

If your organization is making the investment in information security audits, it’s understandable to question whether or not you will pass or fail the audit. After all, many organizations pursue compliance because they have something at stake, like a new client or big product launch, and if they do not pass the audit, there could be severe consequences. However, there’s good news when it comes to SOC 1 audits: the framework is build on the SSAE 18, a standard that is not based on a pass or fail model. Instead, your SOC 1 compliance is determined based on reasonable assurance. What exactly does that mean? Let’s take a look.

What is Reasonable Assurance?

During the audit process, your auditor will perform various tests, interviews, and observations to determine whether or not there is reasonable assurance that your organization has internal controls in place and operating effectively. Because there is no way to give absolute assurance that these internal controls are operating as intended, auditors must be able to give reasonable assurance that controls are in place and operating effectively.

What’s the Difference Between a Qualified and Unqualified Opinion?

When an auditor determines if there’s reasonable assurance, they’ll issue either a qualified or unqualified opinion. An unqualified opinion means there are no qualifications or significant exceptions being issued and reasonable assurance has been determined. On the other hand, if an auditor issues a qualified opinion, this means that there are exceptions. So, for example, “Except for control X, internal controls are in place, suitably designed, and operating effectively.” In cases where a qualified opinion is issued, we will list the specific aspects of your system that were not operating effectively in your SOC 1 audit report.

Want to learn more about how KirkpatrickPrice can assist you on your SOC 1 compliance journey? Contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

It’s very common for us to get asked, “Am I going to pass this audit? What if I fail? Is it going to be bad for our organization if the audit doesn’t go well and we get a failing grade?” Well, a SOC 1 audit is based on the SSAE 18 standard, and the standard does not work on a pass or fail system.  The benchmark is something called reasonable assurance. We can’t have absolute assurance that something is operating a particular way, so the highest level is called reasonable assurance. The auditor has to come to a conclusion using testing and analytic procedures to form a reasonable basis for their opinion, which answers: Is this control designed properly? Is it in place? Is it operating effectively over a period of time? We’re looking for reasonable assurance. If we issue an unqualified opinion, that is an opinion where there are no qualifications to our opinion. It means that an organization’s controls are in place, operating effectively over a period of time, and our opinion has not been qualified. A qualified opinion has the line “except for”. So, for example, “Except for X, the controls are in place, suitably designed, and operating effectively.” We would qualify the opinion by calling out individual aspects of the system that maybe were not operating effectively during the opinion. Ask yourself the question, “Can my auditor form an opinion that’s based on reasonable assurance that our controls are operating effectively?” Talk to one of our Information Security Specialists and let us talk to you about what your environment looks like and the types of practices that you’ve had in place, and let us give you our opinion on what reasonable assurance would look like for your organization

[/av_toggle]

[/av_toggle_container]

If you’ve been asked to demonstrate SOC 1 compliance, you’ll need to determine what exactly is being asked of you. For example, do you need a SOC 1 Type I or SOC 1 Type II audit? Do you need both? Let’s take a look at the difference between a SOC 1 Type I and SOC 1 Type II audit and how you can determine which is most suitable for your organization’s compliance efforts.

What’s the Difference Between a SOC 1 Type I and SOC 1 Type II?

Understanding the difference between a SOC 1 Type I and SOC 1 Type II is simple; it comes down to the audit period. While both a SOC 1 Type I and SOC 1 Type II report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting, the main difference between the two types of audits is the period in which the auditor verifies the effectiveness of internal controls. For example, if an organization opts to engage in a SOC 1 Type I audit, the auditor will assess their controls and processes that could impact their user entities’ ICFR for a specific point in time. On the other hand, if an organization wants to pursue a SOC 1 Type II audit, the auditor will assess their controls and processes that could impact their user entities’ ICFR over a period of time.

What Type of SOC 1 Audit Do I Need?

The type of SOC 1 audit your organization needs depends on your organization’s compliance goals. Has a client asked for a SOC 1 audit? Did they specify which type of SOC 1 audit you need? In many cases, clients will not specify which type of audit they want you to have. In these instances, we always recommend that organizations begin with a Type I audit and then move onto a Type II audit, if needed. Why? Because beginning with a Type I audit allows your organization and your auditor to focus on the design and implementation of your internal controls, whereas a Type II requires additional time, testing, and resources that might make the audit process more challenging if you’ve never reviewed your internal controls before.

Want to learn more about the difference between a SOC 1 Type I and SOC 1 Type II or how KirkpatrickPrice can help you with your SOC 1 compliance objectives? Contact us today.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

When I get asked about SOC 1 Type I and SOC 1 Type II audits, I usually tell clients, “It’s going to come down to what your client is asking for.” Is your client specifically requiring you to go to the Type II, which many times will come after doing a Type I the first time. We’ve seen clients that have simply been required to do a Type II first, but if your client isn’t specifying that, because many times they’ll just tell their clients that they need to do a SOC 1 audit or an SSAE 18 audit. In other words, it will just be broad like that in their request. If this is the case, you have the luxury of starting with a SOC 1 Type I report. The benefit of starting there is that it allows you to focus with your auditor and work with your auditor on the description of your controls and the suitability of the design of those controls and really focus on that and getting those controls in place. That’s the threshold for a SOC 1 Type I report. What happens with a SOC 1 Type II report is that there is additional time spent testing, because in addition to those things, the auditor also has to test operating effectiveness over a period of time. It takes extra time and resources to do that because you need some time to make sure that the controls were in place and operating for a period of time. So, if a client is requiring you to go there first, then that’s the best approach to spend the time there to do the SOC 1 Type II audit, but if at all possible, try to start with the SOC 1 Type I audit so that you can focus on each step individually.

[/av_toggle]

[/av_toggle_container]

What is a SOC 1 Audit and Why Do You Need One?

Often times, clients might ask you to complete a SOC 1 audit, which might leave you asking, “What is a SOC 1 audit? Why does my organization need one?” If your organization has the ability to impact your customers’ internal controls over financial reporting (ICFR), then you’re likely to be asked by those customers to undergo a SOC 1 audit. But what is a SOC 1 audit exactly? A System and Organization Controls 1 (SOC 1) audit is an audit designed to test the internal controls that a service organization has implemented to protect user entities, or their customers’, data, specifically the internal controls that could impact financial reporting. SOC 1 audits are conducted in accordance with the Statement on Standards for Attestation Engagements 18 (SSAE 18), which is used to regulate how companies conduct business and report on compliance controls.

What are the Benefits of a SOC 1 Audit?

If you’re wondering “What is a SOC 1 audit?”, you’re probably also wondering “What are the benefits of a SOC 1 audit?” too. In fact, if you’ve never engaged in a SOC 1 audit before, chances are the process seems a bit intimidating. But when you pursue SOC 1 compliance with KirkpatrickPrice, it doesn’t have to be. Whether it’s your first time undergoing an audit, or you’ve been through audits before, our streamlined approach to the audit process will leave you with the following benefits upon the completion of your SOC 1 audit:

  • Peace of mind that your organization has the proper internal controls and processes in place to deliver high-quality services to your clients
  • An in-depth evaluation of your policies and procedures
  • Assurance for your clients that the sensitive assets they’ve entrusted with you are effectively protected
  • A stronger, more robust security hygiene because a third-party verified your internal controls not just your internal audit team
  • A competitive advantage by demonstrating your commitment to security

Has your organization been asked to demonstrate SOC 1 compliance? Are you unsure where to begin? Contact us today to learn how KirkpatrickPrice can help you get started on your compliance efforts.

More SOC 1 Resources

Understanding Your SOC 1 Report Video Series

SOC 1 Compliance Checklist: Are You Prepared for an Audit?

How to Read Your Vendors SOC 1 or SOC 2 Report?

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

A SOC 1 report is a System and Organization Controls report. Most service organizations are offering services to their clients, such as managed services, application services, or any type of third-party service that’s being outsourced to them from their clients. They’re being asked to do this report as a way to prove to the client that they’re working with that their controls are mature enough and that they’ve been tested by a third-party auditor. We’ve found that a lot of people who call us the first time, they’re small- to medium-sized service providers, and they just found out that their biggest client is requiring them to do this audit that they’ve never heard of. They feel under-the-gun and pressured to do this in order to check a box because it feels like something that’s been forced upon them. But one of the really great things as to why you should do a SOC 1 audit is because it does validate your controls; it does validate what you’re doing. You might be competing against another company in your industry that has not taken the step of having an independent third-party come in and evaluate those controls. When you have an experienced auditor, like those we have here at KirkpatrickPrice, come in with years of experience and perspective and provide you with guidance and expertise on what your controls are or are not doing, it’s a very good process for you to strengthen your environment. It’s a very healthy process to go through to have that external opinion of what you’re doing. Sometimes we have our own internal environments and we have blinders on because we’ve never had a third-party come in and look at it from a different vantage point. We find our clients telling us, “In year one when we did the audit with you, we just thought it was something we were just going to have to do and get it over with, but after years two and three, we’ve started to see that this is a very healthy process, and it actually helps our business get stronger and to grow.”

[/av_toggle]

[/av_toggle_container]