Auditing Basics: Audit Risk, Control Risk, and Detection Risk

What Types of Risk Impact SOC 1 and SOC 2 Audits?

SOC 1 and SOC 2 audits are largely impacted by various types of risk. During a SOC 1 and SOC 2 audit, an auditor will be focused on limiting the following types of risk: audit risk, control risk, and detection risk. So, how are those risks different? How to they affect an auditor while performing SOC 1 or SOC 2 audits? Let’s discuss.

What is Audit Risk?

According to the AICPA, audit risk is “the risk that the auditor expresses an inappropriate audit opinion when financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.” Essentially, audit risk includes the risk that an auditor did not perform their due diligence when assessing an organization’s compliance with the SOC 1 or SOC 2 frameworks, which might include failing to test something, missing a critical piece of evidence, or something else in the audit was incorrect. Audit risk ultimately refers to the risk that an CPA firm issues an inaccurate opinion of an organization’s internal controls.

What is Control Risk?

During SOC 1 and SOC 2 audits, control risks represent the chances that your controls are not operating effectively or that the failure of a control could lead to material misstatement in financial statements. Control risk takes into the potential of error from both humans and automated processes. Why? Because humans are inherently inclined to make mistakes, and no automated process is completely error-free. Although there is always some level of risk, throughout the assessment process, an auditor will work to mitigate control risks as much as possible by designing tests to obtain reasonable assurance that the controls are operating effectively and that their audit opinion is going to be accurate and based on good results.

What is Detection Risk?

In order for auditing to be effective, an auditor must be able to detect misstatements throughout the assessment. Considering this, detection risk is the risk that an auditor will fail to detect something that’s in existence. An auditor can reduce the level of detection risk by designing tests of policies and procedures and applying sampling to help give reasonable assurance that a control is in place and operating effectively.

Video Transcription

One of the things that I really believe is important for our clients to understand is the type of risk that our auditor is thinking about as they’re working with you on your audit engagement. We think about audit risk, control risk, and detection risk. Audit risk is the chance that something in our audit is wrong, we missed something, or we didn’t test something. In other words, our opinion that we issued is incorrect because there was something that we should have found. Obviously, we want that risk to be as low as possible, and we’re always thinking about that as we do our work. Control risk is the chance that the control we’re testing is not operating the way it’s supposed to operate. For example, controls fail and if you have a person who is responsible for monitoring a system, people fail and make mistakes. There are inherent limitations to humans doing something, so there is always a chance of a control not operating effectively. What about technology? Technology has failures and anomalies. Sometimes it’s down or it’s not able to connect or do what it’s supposed to do, so that control can fail. That’s control risk: what is the chance that this particular control won’t operate in the way that it was intended to operate? In order for us to address those levels of risk, we as auditors design tests in order to sample a good amount of systems to obtain reasonable assurance that these controls are operating effectively and that our audit opinion is going to be accurate and based on good results. We will perform more tests the higher the level of risk that the control might fail and less tests depending on the lower level of risk that the control might fail. Ultimately, it’s all about performing the audit correctly according to professional standards, because it is an opinion and validation of your controls that your clients rely upon. They rely upon your auditor to do a quality job, and you should expect and demand that as well to make sure your environment is tested as stringently as can be, so that nothing is missed, and nothing is left undone before we issue an opinion.

Auditing Basics: Carve-Out vs. Inclusive Vendors

During the initial scoping phases of an organization’s audit engagement, your auditor will partner with you to help you narrow down the third-party vendors to be included in your engagement. In order to ensure that your organization’s security posture is and remains strong, you need to consider the impact that the third-party vendors you’ve entrusted sensitive data with could have on your organization. This means that you’ll need to be able to list who your third-party vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Knowing this information will help you determine whether or not you need to carve them out of your audit or include them. What’s the difference between carving out or including third-party vendors in an audit? Let’s take a look.

Carve-Out vs. Inclusive Method: What’s the Difference

When an organization opts to use the inclusive method for their third-party vendors, this means that they will be included in the scope of the audit. This also implies that the third-party has not had an audit of their controls performed, and the organization being audited wants to make sure that the third-party vendors they’ve partnered with are doing what they say they’re doing to protect their sensitive assets. When using the inclusive method, auditors will perform a site visit, test personnel, interview them, and collect evidence on their controls. On the other hand, when an organization opts to carve-out their third-party vendors, this means that they will not be included in the audit and your audit firm will not issue an opinion on any controls that they have in place that you rely upon to deliver your services. Typically, this implies that the third-party vendor has their own audit report to provide to your audit firm for review and no further action is required on their behalf.

Need help determining if you should carve-out or include your third-party vendors in your audit? Contact us today.

Video Transcription

One of the decisions that needs to be made for your audit is how to treat your third-party service providers. There are two methods – carve-out and inclusive – and I’m going to explain the difference between the two. If you carve-out your third-party service provider, that means that we do not issue an opinion on any controls that they have in place that you rely upon to deliver your services. When you hand your report to your client, they are very likely going to ask how they can validate the controls of that third-party service provider. They often want to know if they have an audit report that they’ve had performed so they can review it. If they haven’t had an audit report, they might question how they can be sure if that third-party you’re partnered with is doing what they say they’re doing to protect their data. The inclusive method is where we include the third-party service provider in your audit. We visit them, test them, interview them, collect evidence from them – just like we do for the service organization. In the report then, it would talk about the controls that were in place at not only the service organization but the sub-service organization, or third-party service provider, as well. So, think about which third parties you work with and whether or not they have their own audit report, and whether or not they should be included or carved-out as part of your audit process.

Auditing Basics: What is a Gap Analysis?

Do You Need a Gap Analysis?

If it’s your first time pursuing compliance for any framework – whether it’s SOC 1, SOC 2, PCI DSS, HIPAA, GDPR, etc. – we strongly recommend beginning your engagement with a gap analysis. At KirkpatrickPrice, we’re committed to helping our clients get the most out of their audit, which means that we don’t want you to fail due to lack of preparation. That’s why our gap analysis service is specifically designed to help you prepare for the audit so that you can meet your compliance goals. How does the gap analysis process work? Organizations will be partnered with an Information Security Specialists and an Audit Support Professional to identify any operational, reporting, and compliance gaps and will then offer advice on strategies for remediation. Ultimately, gap analyses ask and answer, “How are we doing compared to what regulations require?”

Do You Need a Remote or Onsite Gap Analysis?

Many of our clients ask us whether or not they should do a remote or onsite gap analysis, and the answer really boils down to how prepared you want to be. Many organizations believe that remote gap analyses are the most convenient option — organizations simply have to upload documentation and evidence into our Online Audit Manager for review and attend conference calls with one of our Information Security Specialists over a two- to three-week period. For organizations who opt to do an onsite gap analysis, it typically is a much more intensive experience. An auditor will come on site over a three- to five-day period to review documentation and evidence and interview personnel. Regardless, whether an organization decides to undergo a remote or onsite gap analysis, they’ll leave with a better understanding of how to remedy vulnerabilities found, a timeline and strategies for doing so, and resources to guide them along their remediation journey.

If it’s your first time going through an audit of a specific framework, let us be your guide. Contact us today for more information on the value of gap analysis and what KirkpatrickPrice’s process is.

Video Transcription

We commonly receive inquiries about how to get started with an audit. People are worried that they aren’t ready for the audit, and the question is always along the lines of “What can we do to prepare? What are the ‘gotcha’ areas that we need to be concerned with?” One of the ways that we love to help our clients with this is with a service called a gap analysis. One of our senior, expert-level auditors will be assigned to you and will perform either a remote or in-person gap analysis. We walk through the requirements of the audit, and we help you identify any gaps in your policies, your procedures, your controls, or anything you need to do to quickly address any gaps you have in compliance for the particular audit framework that you’re seeking to comply with. We can perform a gap analysis anywhere in the world. We travel overseas and we perform things remotely in a virtual manner in order to help you understand what you need to do as quickly as possible and get you on the road to completing your audit.

Auditing Basics: What are Control Objectives?

What are Control Objectives?

Control objectives are statements that address how risk is going to be effectively managed by an organization, and your auditor will be validating whether or not your organization meets these control objectives during a SOC 1 or SOC 2 audit. The AICPA requires that the description of the service organization’s systems includes specific control objectives and controls designed to achieve those objectives, and control objectives are typically presented in a matrix format.

During the scoping phase of a SOC 1 or SOC 2 audit, you and your auditor will choose around 10-30 control objectives to be included in the audit. Determining the best control objectives for your organization is crucial for ensuring that you get the most out of your audit, which is why organizations need to partner with senior-level expert information security specialists who can assist in writing the control objectives to make sure that they’re presented reasonably.

Achievement of Your Control Objectives

Identifying risks that threaten the achievement of your control objectives and implementing related controls is a major component of a SOC 1 or SOC 2 audit. When going through a SOC 1 or SOC 2 audit, control objectives help to ensure that organizations’ security posture is — and remains — strong. If one of your control objectives is, “Our controls provide reasonable assurance that we restrict unauthorized access to our critical systems,” then you would need to implement controls to ensure that this objective was met. To validate this control objective, your auditor might verify that you have controls in place such as locked doors, badges, monitoring systems, and logical access controls.

Video Transcription

Part of the terminology that you will hear over and over again in your audit is called control objectives. These are the objectives that your organization is trying to achieve. Let me give you an example of one: ‘Our controls provide reasonable assurance that we are preventing unauthorized access to sensitive information.’ The controls that you put into place have to be designed with the achievement of your control objectives in mind, so they would be things like locked doors, video monitoring, security guards, logical access controls, visitor badges, sign ins, those kinds of things. The auditor would review and test those controls to make sure they are achieving the objective that you set out to do. In your report, you’ll have from anywhere between 10 and 30 control objectives. Your auditor can help you write those control objectives and make sure they’re reasonably presented because, ultimately, an opinion will be issued about whether or not the controls you put into place are operating effectively and achieving the control objectives.

Auditing Basics: What is an Assertion?

What is Management’s Written Assertion?

At the beginning stages of the SOC 1 or SOC 2 audit process, an organization will be asked to provide management’s written assertion to their auditor. This assertion lays the foundation for the audit because it is a written claim by an organization describing their systems and what it is their services are expected to accomplish for the organizations they do business with. It tells auditors how an organization’s system is designed and how it’s supposed to operate. For an auditor to be able to perform a SOC 1 or SOC 2 audit, the organization must acknowledge and accept the responsibility of providing management’s written assertion.

The AICPA defines an assertion as any declaration or set of declarations about whether the subject matter is in accordance with, or based on, the criteria. The AICPA also lays out three functions of management’s written assertion:

  • Addresses whether the description of the service organization’s system is presented in accordance with the description criteria
  • Addresses whether the controls stated in the description were suitably designed
  • Addresses whether the controls, during a Type II engagement, were operating effectively

Testing an Assertion

Throughout the SOC 1 or SOC 2 audit process, an auditor will review an organization’s internal controls, culminating in a final audit report wherein the auditor’s opinion is based on whether or not the assertion was fairly presented. This means that when an organization provides their assertion to their auditor, it needs to be as accurate as possible. For example, if your organization provides an assertion that states your employees are regularly trained and tested on cybersecurity best practices, you need to be able to show an auditor that this training does occur so that the auditor can validate that this claim is accurate.

Video Transcription

One of the things that management has to provide to their auditor is an assertion. The assertion is a written document that provides a description of the system and what it is that the service is expected to accomplish for the user organization.  The assertion is a detailed description of how the system is designed and how it’s supposed to operate. This assertion has to be received by the auditor and our opinion is based on whether or not the assertion is fairly presented.