Frequently Asked Questions

We know that compliance can be confusing. We’ve got the answers you’ve been looking for.





Audit Process

  • What does the audit process entail?

    Each audit framework has specific requirements and processes.  The average KirkpatrickPrice audit process typically consists of the following steps:

    • Gap analysis
    • Scoping exercises
    • Onsite visit
    • Evidence gathering period
    • A report

  • How long does an audit take to complete?

    The average audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the requirements for an engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs.

    You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

  • Who is involved in an audit?

    In every audit engagement, the Auditor is required to maintain communication with management and those charged with governance from the service organization. Other team members involved in the audit could come from anywhere in your organization, ranging from human resources to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

Audit Readiness

  • How do I prepare for an audit?

    We know you want to feel ready before you start your audit so that the process ends in success. But we believe you’re always ready for an audit when the audit firm is committed to helping you improve and strengthen your security posture. An audit can be used as a tool to find gaps in your security program and identify ways to make them stronger.

    But we also know you want to get ready at your own pace, and we have plenty of resources to help you out.

    We suggest creating free account on the Online Audit Manager. You’ll be able to work through every requirement of your audit before ever having to call us, but if you need some help, live help is integrated into the experience so you can get the answers to your questions immediately.

  • Can an automated tool help me prepare for my audit?

    Automation can definitely help make your compliance efforts more manageable, but you can’t trust your organization’s compliance to automation alone. There is a way you can leverage the convenience of automation to make your audits less overwhelming.

    With the Online Audit Manager, you can still upload your compliance documents to an easy-to-use platform that helps you keep track of your progress and goals, but industry experts will be able to review and leave feedback on your documents within the application. The OAM is the best of both worlds and can actually save you time as you work to complete your next audit.

    Create your free OAM account to start saving time the right way and get the assurance you deserve.

  • How do I choose the right audit framework?

    Choosing the right audit framework can be overwhelming.  It depends on a number of factors, but we’ve written a blog that details them all.  You’ll learn about the 10 most common information security frameworks, who they apply to, and how they can benefit your organization.

    Read the guide here.

    And if you still have questions, we’d be happy to help you figure it out.  Just connect with one of our experts!


Choosing the Right Audit Firm

  • How do I make sure I picked the right audit firm?

    In order to successfully protect your data and your reputation through an information security audit, you must first choose an audit firm. Here are five things to ask yourself when choosing an audit partner:

    1. Is the firm qualified?
    2. Is the firm committed to quality?
    3. Do the firm’s goals align with yours?
    4. How can the firm help you prepare?
    5. What does the audit process entail?

    Finding the audit firm that’s right for your organization is intimidating, but these questions should help you determine which firm is right for you.  Read more about how they can do that here.

  • Why is quality testing so important to my audit experience?

    Your audit should involve more than just a checklist where a firm checks a box saying that you have all of the necessary policies and procedures required of you. A quality audit should involve your auditors actually reading and reviewing those policies and procedures to make sure your organization is truly doing what is outlined and what is needed to secure your unique environment.

    This may mean that your audit has findings, but we believe that’s actually a good thing.  A “clean” audit isn’t always an indicator of a secure environment.  Quality testing will give you results you can trust.


Audit Basics

  • What do I receive when my audit is complete?

    An audit culminates in a report. The components and formatting of audit reports delivered by KirkpatrickPrice are based on guidelines provided by the specific frameworks and standards of the audit and written by our in-house Professional Writing team.

  • How much does an audit cost?

    Pricing for an audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, and audit frequency. Pricing will also vary based on the report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

    If an audit doesn’t currently fit in your budget but you still want to prioritize your compliance efforts, check out our Lift-Off subscriptions! You can run security scans, analyze your policies, and prepare for your audit at your own pace.

  • How long is an audit report valid?

    Audit reports cover a period in the past. Typically, your clients will not accept a report issued more than 12 months ago because they want your testing to be relevant for their own audit period.


  • How often does an audit need to be performed?

    Industry standard is to schedule an audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust. Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.

  • What is the difference between a type I audit and a type II?

    For both SOC 1 and SOC 2 audits, you can receive a type I or type II report.  The difference is a type I is an attestation of controls at a specific point in time whereas a type II is over a certain time period (normally the last year).

    The Type I reports on the description of controls provided by management of the service organization and attests that the controls are suitably designed and implemented. The Type II reports on the description of controls provided by management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.

    Learn more here.

Check out the audit frameworks to learn more about specific audit types.

Ready to Start Your Audit?