The Auditor’s Test of Controls: Review, Observe, and Interview
At the end of a SOC 1 Type II report, you’ll find a section titled, “Information Provided by the Independent Service Auditor.” Within this section, you will find “Auditor’s Test of Controls,” which is a description of the controls that were tested during the audit, procedures used for testing these controls, and the results of the testing. The test of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time. When reviewing a SOC 1 Type II report, the opinion and the results of the auditor’s test of controls may contain vital information necessary to verify whether a service organization’s controls have been suitably designed and are operating effectively.
The procedures used for testing controls typically fall under one of three categories: review, observe, or interview. Let’s say your service organization says it has a policy that governs physical security, which includes things like door locks, surveillance cameras, onsite security guards, alarms, and issuing visitor badges. An auditor could review the relevant documentation to ascertain that the physical security policy does exist, it’s in place, and employees know about its existence. Or, an auditor could observe physical security practices, such as the process for issuing visitor badges, to verify that this policy does exist, it’s in place, and employees know about its existence. Or, an auditor could interview the personnel responsible for issuing visitor badges to verify that the physical security policy does exist, it’s in place, and employees know about its existence.
An auditor’s test of controls is designed uniquely and specifically for the controls that your service organization has put into place. If there are exceptions provided in the SOC 1 Type II report, for example, “In this case, the physical security control was not operating as it should have been,” those situations will be reported to management so that they can be remediated as soon as possible.
For an SSAE 16 (now SSAE 18) Type II report, there’s a section titled “Auditor’s Test of Controls.” These tests of controls are procedures that the auditor goes through to provide reasonable assurance that the controls have been operating effectively over a period of time.
An example of a test of control that an auditor would perform would be a review of policy. If you have stated that you have a policy that governs information security, or logical access, or human resources, or physical security, or application development, a test of that would be that the auditor reviews the document to ascertain that it does exist and it is in place and that people know about its existence.
Another test of control would be an observation. If one of your controls is, “We train our employees when they are hired,” or, “We monitor our network health in order to identify system capacity,” or if another control is, “We conduct peer review on our application development processes among our development teams,” an auditor may observe these practices or look for evidence that would provide them assurance that these things are taking place.
These tests of controls are designed uniquely and specifically for the controls that you’ve put into place and the auditor writes up a description of the tests that were performed and what the results of those tests were. There could be exceptions provided in the report, “In this case, this control was not operating as it should have been,” and of course, those situations are reported to management so that they can be dealt with and remediated as soon as possible.