Do You Need a Gap Analysis?

If it’s your first time pursuing compliance for any framework – whether it’s SOC 1, SOC 2, PCI DSS, HIPAA, GDPR, etc. – we strongly recommend beginning your engagement with a gap analysis. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their audit, which means that we don’t want you to fail due to lack of preparation. That’s why our gap analysis service is specifically designed to help you prepare for the audit so that you can meet your compliance goals. How does the gap analysis process work? Organizations will be partnered with an Information Security Specialists and an Audit Support Professional to identify any operational, reporting, and compliance gaps and will then offer advice on strategies for remediation. Ultimately, gap analyses ask and answer, “How are we doing compared to what regulations require?”

Do You Need a Remote or Onsite Gap Analysis?

Many of our clients ask us whether or not they should do a remote or onsite gap analysis, and the answer really boils down to how prepared you want to be. Many organizations believe that remote gap analyses are the most convenient option — organizations simply have to upload documentation and evidence into our Online Audit Manager for review and attend conference calls with one of our Information Security Specialists over a two- to three-week period. For organizations who opt to do an onsite gap analysis, it typically is a much more intensive experience. An auditor will come on site over a three- to five-day period to review documentation and evidence and interview personnel. Regardless, whether an organization decides to undergo a remote or onsite gap analysis, they’ll leave with a better understanding of how to remedy vulnerabilities found, a timeline and strategies for doing so, and resources to guide them along their remediation journey.

If it’s your first time going through an audit of a specific framework, let us be your guide. Contact us today for more information on the value of gap analysis and what KirkpatrickPrice’s process is.

We commonly receive inquiries about how to get started with an audit. People are worried that they aren’t ready for the audit, and the question is always along the lines of “What can we do to prepare? What are the ‘gotcha’ areas that we need to be concerned with?” One of the ways that we love to help our clients with this is with a service called a gap analysis. One of our senior, expert-level auditors will be assigned to you and will perform either a remote or in-person gap analysis. We walk through the requirements of the audit, and we help you identify any gaps in your policies, your procedures, your controls, or anything you need to do to quickly address any gaps you have in compliance for the particular audit framework that you’re seeking to comply with. We can perform a gap analysis anywhere in the world. We travel overseas and we perform things remotely in a virtual manner in order to help you understand what you need to do as quickly as possible and get you on the road to completing your audit.

What are Control Objectives?

Control objectives are statements that address how risk is going to be effectively managed by an organization, and your auditor will be validating whether or not your organization meets these control objectives during a SOC 1 audit. The AICPA requires that the description of the service organization’s systems includes specific control objectives and controls designed to achieve those objectives, and control objectives are typically presented in a matrix format.

During the scoping phase of a SOC 1 audit, you and your auditor will choose around 10-30 control objectives to be included in the audit. Determining the best control objectives for your organization is crucial for ensuring that you get the most out of your audit, which is why organizations need to partner with senior-level expert information security specialists who can assist in writing the control objectives to make sure that they’re presented reasonably.

Achievement of Your Control Objectives

Identifying risks that threaten the achievement of your control objectives and implementing related controls is a major component of a SOC 1 audit. When going through a SOC 1 audit, control objectives help to ensure that organizations’ internal control is — and remains — strong. If one of your control objectives is, “Our controls provide reasonable assurance that we restrict unauthorized access to our critical systems,” then you would need to implement controls to ensure that this objective was met. To validate this control objective, your auditor might verify that you have controls in place such as locked doors, badges, monitoring systems, and logical access controls.

Part of the terminology that you will hear over and over again in your audit is called control objectives. These are the objectives that your organization is trying to achieve. Let me give you an example of one: ‘Our controls provide reasonable assurance that we are preventing unauthorized access to sensitive information.’ The controls that you put into place have to be designed with the achievement of your control objectives in mind, so they would be things like locked doors, video monitoring, security guards, logical access controls, visitor badges, sign ins, those kinds of things. The auditor would review and test those controls to make sure they are achieving the objective that you set out to do. In your report, you’ll have from anywhere between 10 and 30 control objectives. Your auditor can help you write those control objectives and make sure they’re reasonably presented because, ultimately, an opinion will be issued about whether or not the controls you put into place are operating effectively and achieving the control objectives.

What is Management’s Written Assertion?

At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management’s written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate. For an auditor to be able to perform a SOC 1 or SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management’s written assertion.

The AICPA defines an assertion as any declaration or set of declarations about whether the subject matter is in accordance with, or based on, the criteria. The AICPA also lays out three functions of management’s written assertion:

• Addresses whether the description of the service organization’s system is presented in accordance with the description criteria
• Addresses whether the controls stated in the description were suitably designed
• Addresses whether the controls, during a Type II engagement, were operating effectively

Testing an Assertion

Throughout the SOC 1 or SOC 2 audit process, an auditor will review an organization’s internal controls, culminating in a final audit report wherein the auditor’s opinion is based on whether or not the assertion was fairly presented. This means that when an organization provides their assertion to their auditor, it needs to be as accurate as possible. For example, if your organization provides an assertion that states your employees are regularly trained and tested on cybersecurity best practices, you need to be able to show an auditor that this training does occur so that the auditor can validate that this claim is accurate.

One of the things that management has to provide to their auditor is an assertion. The assertion is a written document that provides a description of the system and what it is that the service is expected to accomplish for the user organization.  The assertion is a detailed description of how the system is designed and how it’s supposed to operate. This assertion has to be received by the auditor and our opinion is based on whether or not the assertion is fairly presented.