Understanding Your Audit: Locations and Sampling

by Sarah Harvey / December 13th, 2019

During the audit process, our qualified Information Security Specialists use best practices to determine the scope of the work. If you’ve never completed an audit, you’ve probably had questions about scoping and sampling. How many locations should be audited? Which locations are most important? How does an auditor develop a scope? What kind of sampling takes place during the audit? These are all valid questions asked by organizations undergoing an audit for the first time. Let’s talk about locations and sampling.

Locations, Locations, Locations

If you’re an organization with multiple office locations, you may be wondering which locations to include in your audit. While our expert-level Information Security Specialists will audit multiple locations, it’s not necessary that they physically visit every office location that you have. Instead, you can include the locations that hold key systems and processes. If you are storing data or backing up your systems in an office location, you should expect that location to be included in your audit. Do you have remote employees with no access to data? Wherever you’re looking to check security controls and protect data, you need to have those processes tested.

Do you have an office located overseas? Have you ever visited this office location to confirm proper security processes are in place? Out of sight, out of mind is a reality for many organizations with overseas locations. That’s why it’s important to have a qualified Information Security Specialist in person completing an onsite visit and auditing your security controls. Many of our clients are appreciative of our auditors who are willing to travel overseas to verify that their vendors are doing what they say they’re doing. Whether that location is in Canada or India, you’ll want the security of that location to be thoroughly audited.

How Does Location Data Sampling Work?

Imagine you have hundreds of employees across hundreds of office locations with countless amounts of data you’re planning to audit. If one of our Information Security Specialists were to use every one of your data points from every location in an audit, the audit process would take years to complete. Instead, auditors use sampling to take a portion of the data that is necessary to reach reasonable assurance during the audit. When designing the sample, auditors evaluate the purpose of the sample, outliers, and behavior to select the proper sample size. Sample risk should be determined to understand how many possible errors could be in the data so that the Information Security Specialist can do a job of reaching reasonable assurance.

Overall, sampling is a tool that is used to gather a reasonable amount of data that can be used in the audit. Instead of auditing 400 retail locations, the auditor may take a sample from each region. You can expect to participate in sampling during the audit process as an effort to complete a quality audit.

Completing an Audit with KirkpatrickPrice

When you choose to complete an audit with KirkpatrickPrice, you’re also choosing to receive quality education throughout the audit process and guidance from our expert information security team. We’ll guide you through the decision-making processes as you choose which locations to include in your scope. During the onsite visit, your Information Security Specialist will further expand on the sampling tool as they work to audit your security controls. You can count on KirkpatrickPrice to reach reasonable assurance in all of our audit practices. Interested in learning more about completing an audit with KirkpatrickPrice? Contact us, today!