Understanding Your SOC 1 Report: Auditor’s Test of Controls

The Auditor’s Test of Controls: Review, Observe, and Interview

At the end of a SOC 1 Type II report, you’ll find a section titled, “Information Provided by the Independent Service Auditor.” Within this section, you will find “Auditor’s Test of Controls,” which is a description of the controls that were tested during the audit, procedures used for testing these controls, and the results of the testing. The test of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time. When reviewing a SOC 1 Type II report, the opinion and the results of the auditor’s test of controls may contain vital information necessary to verify whether a service organization’s controls have been suitably designed and are operating effectively.

The procedures used for testing controls typically fall under one of three categories: review, observe, or interview. Let’s say your service organization says it has a policy that governs physical security, which includes things like door locks, surveillance cameras, onsite security guards, alarms, and issuing visitor badges. An auditor could review the relevant documentation to ascertain that the physical security policy does exist, it’s in place, and employees know about its existence. Or, an auditor could observe physical security practices, such as the process for issuing visitor badges, to verify that this policy does exist, it’s in place, and employees know about its existence. Or, an auditor could interview the personnel responsible for issuing visitor badges to verify that the physical security policy does exist, it’s in place, and employees know about its existence.

An auditor’s test of controls is designed uniquely and specifically for the controls that your service organization has put into place. If there are exceptions provided in the SOC 1 Type II report, for example, “In this case, the physical security control was not operating as it should have been,” those situations will be reported to management so that they can be remediated as soon as possible.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

Video Transcript

For an SSAE 16 (now SSAE 18) Type II report, there’s a section titled “Auditor’s Test of Controls.” These tests of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time.

An example of a test of control that an auditor would perform would be a review of policy. If you have stated that you have a policy that governs information security, or logical access, or human resources, or physical security, or application development, a test of that would be that the auditor reviews the document to ascertain that it does exist and it is in place and that people know about its existence.

Another test of control would be an observation. If one of your controls is, “We train our employees when they are hired,” or, “We monitor our network health in order to identify system capacity,” or if another control is, “We conduct peer review on our application development processes among our development teams,” an auditor may observe these practices or look for evidence that would provide them assurance that these things are taking place.

These tests of controls are designed uniquely and specifically for the controls that you’ve put into place and the auditor writes up a description of the tests that were performed and what the results of those tests were. There could be exceptions provided in the report, “In this case, this control was not operating as it should have been,” and of course, those situations are reported to management so that they can be dealt with and remediated as soon as possible.

Understanding Your SOC 1 Report: Audit Risk, Control Risk, and Detection Risk

Driven by Risk

An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive our audits so that we can give you reasonable assurance.

What is Audit Risk?

In an audit of financial statements, like SOC 1 audits, audit risk is defined by the PCAOB as, “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.” What are the chances of an audit firm’s opinion being incorrect? What are the chances something gets overlooked? This all factors into the concept of audit risk.

What is Control Risk?

What are the chances that your controls are not operating effectively? What are the chances that the failure of a control lead to material misstatement in financial statements? This is control risk. If you rely upon a person to monitor something, there are inherent limitations. Why? Because people make mistakes. The more that people are involved, the higher the control risk. But, there’s control risk related to automated processes too, because systems fail. There’s always some level of control risk, but an auditor will design tests to help us have reasonable assurance that controls are in place and operating effectively.

What is Detection Risk?

Will an auditor not detect something that is in existence? This is detection risk. In relation to SOC 1 audits, the PCAOB defines detection risk as, “The risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by the effectiveness of the substantive procedures and their application by the auditor.” An auditor can reduce the level of detection risk by designing tests of policies and procedures and applying sampling to help give reasonable assurance that a control is in place and operating effectively.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

Video Transcript

As you work with your auditor on your SSAE 16 (now SSAE 18), one of the concepts to be aware of would be related to audit risk, control risk, and detection risk.

As an audit firm, we’re always concerned about whether or not our opinion is accurate about the service organization that we’re auditing; that’s the concept of audit risk. What are the chances that our audit will be incorrect? That we will miss something?

Control risk is the chance that your control is not operating effectively. The more that people are involved, the higher the control risk. For example, if you rely upon a person to monitor something or do something, there are inherent limitations to that because people make mistakes. There are also inherent mistakes to automated practices because systems fail. There’s always some level of control risk and the auditor will design tests in order to help us to have reasonable assurance that the control is in place and is operating effectively for the most amount of time possible. That relates to detection risk.

What are the chances that we, in our audit, won’t detect something that is in existence? The auditor will design tests and will apply sampling in order to get a good snapshot of the control being in place and operating effectively, so that we can be reasonably assured in our opinion that we provide to you, the service organization. In turn, your clients will rely upon that opinion, which is why the audit has to be properly scoped, properly conducted, and it’s always being driven by these elements of risk that I’ve described.

Understanding Your SOC 1 Report: Determining your Audit Period

Operating Effectively Over a Period of Time

When considering pursuing a SOC 1 Type II report, there’s a new element to consider: determining your audit period. It’s important to remember that a SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. However, unlike a Type I report, Type II reports include an opinion on whether the controls were operating effectively over a period of time. Assessing the operating effectiveness of controls over a period of time helps the auditor determine whether controls have been implemented. If the controls are found to be operating effectively over a period of time, then the control objectives have been achieved.

If you are required to receive a SOC 1 Type II report, your service organization will undergo more testing than in a SOC 1 Type I audit. Because additional testing is necessary to determine that the controls are not only in place, but also operating effectively over a period of time, SOC 1 Type II audits take more time to conduct.

It’s common to ask, “How do we determine our audit period?” when planning a SOC 1 Type II audit. That needs to be a conversation you have with your auditor. The review period is typically six to 12 months, but because every circumstance is different, you and your auditor must determine what’s appropriate for your service organization.

Considering client needs and timing constraints is critical when pursuing a SOC 1 Type II report. If you have questions about SOC 1 reports, view more of our SOC 1 video resources or contact us today.

Video Transcript

For your SSAE 16 (SOC 1 Type II) Type II report, the controls that are under review have to have been put in place for a period of time and the auditor will perform tests of operating effectiveness to ensure that those controls were operating effectively over that period of time.

One of the questions that we receive is, “What period should we evaluate as part of this audit?” That will be a conversation between you and your auditor in order to determine what the review period should be, but it is most commonly six months or 12 months. Please speak with your auditor about what is most appropriate for you and your circumstance.

Understanding Your SOC 1 Report: What is Scope?

So What Is Scope, Anyway?

No matter what kind of data you’re protecting – financial information, cardholder data, ePHI – you need to understand where your assets reside and what controls are protecting them. This is why the scoping process is so important. If you don’t know where your data is, how do you plan to protect it?

What is scope? How do you determine an accurate definition of scope? The scope of an assessment identifies the people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

SOC 1 reports were primarily designed to report on the controls of service organizations that are relevant to their client’s financial statements. For a SOC 1 audit, the scoping process may look something like this:

  • Which locations are involved?
  • Do you have any third parties? What services do they provide?
  • How many business applications and technology platforms are involved?
  • Which systems are involved?
  • What people are responsible?
  • Which processes focus on internal control over financial reporting?

As you work with your auditor, you will determine a proper definition of scope. Scoping is critical to putting boundaries in place for collecting evidence. If you have questions about scoping, SOC 1 audits, or want help demonstrating to your clients your commitment to security and compliance, contact us today.

Video Transcript

One of the very first things you’ll work with in a SOC 1 audit is the definition of scope. As you work with your auditor, you will define what the proper scope is for the audit, such as what locations are involved, which services are in scope for the audit, which processes, which vendors are involved. Are there outsourced services from vendors that are writing code for you or providing IT services for you? The proper definition of scope is very critical in order to put those boundaries in place and understand what kind of evidence has to be collected after the fact. So, begin thinking about scope and how you would scope the audit so that you can discuss that with your SOC 1 auditor.

Understanding Your SOC 1 Report: What is a Gap Analysis?

A gap analysis is designed to prepare organizations for an audit. If it’s your first time going through an audit (SOC 1, SOC 2, PCI, HIPAA, HITRUST CSF, etc.), KirkpatrickPrice strongly recommends a gap analysis. This is a process of discovery, a chance to find areas of weakness, and an opportunity to gain industry insight. A gap analysis is not an audit. This process will examine your internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. A gap analysis is an efficient way to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

Through a virtual or onsite gap analysis, one of our experienced, senior-level auditors will spend time with your team and review policies and procedures, perform interviews of responsible personnel, and create a gap analysis report. If a gap analysis is performed, KirkpatrickPrice will document identified gaps and recommended actions in our Online Audit Manager and provide the raw findings. After an organization has remedied the non-compliant findings, KirkpatrickPrice will continue with the audit.

If it’s your first time going through an audit of a specific framework, let us be your guide. Contact us today for more information on the value of gap analysis and what KirkpatrickPrice’s process is.

Video Transcript

One of the things that we offer to assist organizations in the beginning of their SOC 1 audit is a gap analysis. One of our experienced, senior-level auditors will come to your facility and spend time with you to review your policies, procedures, and practices, interview your staff, and quickly identify any gaps that must be addressed in order to proceed with the audit. Our firm provides audit services worldwide, so no matter where you are, this gap analysis can be a very valuable way to quickly analyze what you have in place and what you need to have in place in order to complete a SOC 1 audit.