Operating Effectively Over a Period of Time

When considering pursuing a SOC 1 Type II report, there’s a new element to consider: determining your audit period. It’s important to remember that a SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. However, unlike a Type I report, Type II reports include an opinion on whether the controls were operating effectively over a period of time. Assessing the operating effectiveness of controls over a period of time helps the auditor determine whether controls have been implemented. If the controls are found to be operating effectively over a period of time, then the control objectives have been achieved.

If you are required to receive a SOC 1 Type II report, your service organization will undergo more testing than in a SOC 1 Type I audit. Because additional testing is necessary to determine that the controls are not only in place, but also operating effectively over a period of time, SOC 1 Type II audits take more time to conduct.

It’s common to ask, “How do we determine our audit period?” when planning a SOC 1 Type II audit. That needs to be a conversation you have with your auditor. The review period is typically six to 12 months, but because every circumstance is different, you and your auditor must determine what’s appropriate for your service organization.

Considering client needs and timing constraints is critical when pursuing a SOC 1 Type II report. If you have questions about SOC 1 reports, view more of our SOC 1 video resources or contact us today.

For your SSAE 16 (SOC 1 Type II) Type II report, the controls that are under review have to have been put in place for a period of time and the auditor will perform tests of operating effectiveness to ensure that those controls were operating effectively over that period of time.

One of the questions that we receive is, “What period should we evaluate as part of this audit?” That will be a conversation between you and your auditor in order to determine what the review period should be, but it is most commonly six months or 12 months. Please speak with your auditor about what is most appropriate for you and your circumstance.

So What Is Scope, Anyway?

No matter what kind of data you’re protecting – financial information, cardholder data, ePHI – you need to understand where your assets reside and what controls are protecting them. This is why the scoping process is so important. If you don’t know where your data is, how do you plan to protect it?

What is scope? How do you determine an accurate definition of scope? The scope of an assessment identifies the people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

SOC 1 reports were primarily designed to report on the controls of service organizations that are relevant to their client’s financial statements. For a SOC 1 audit, the scoping process may look something like this:

  • Which locations are involved?
  • Do you have any third parties? What services do they provide?
  • How many business applications and technology platforms are involved?
  • Which systems are involved?
  • What people are responsible?
  • Which processes focus on internal control over financial reporting?

As you work with your auditor, you will determine a proper definition of scope. Scoping is critical to putting boundaries in place for collecting evidence. If you have questions about scoping, SOC 1 audits, or want help demonstrating to your clients your commitment to security and compliance, contact us today.

One of the very first things you’ll work with in a SOC 1 audit is the definition of scope. As you work with your auditor, you will define what the proper scope is for the audit, such as what locations are involved, which services are in scope for the audit, which processes, which vendors are involved. Are there outsourced services from vendors that are writing code for you or providing IT services for you? The proper definition of scope is very critical in order to put those boundaries in place and understand what kind of evidence has to be collected after the fact. So, begin thinking about scope and how you would scope the audit so that you can discuss that with your SOC 1 auditor.

Vendor Compliance Management

As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or another type of third party that may have access to client information or your critical systems. When you’re scoping your SOC 1 engagement there’s a decision you must make: utilize the carve-out method or the inclusive method? Each method is a way to handle outsourced services in your SOC 1 report.

The Carve-Out Method

Using the carve-out method would be appropriate if your vendor has undergone an audit themselves. If using the carve-out method, the vendor’s activities and controls are excluded from the scope of the audit. An auditor would request the vendor’s audit report and review that as part of your engagement, resulting in that vendor being carved out of your report. The service organization’s description of its system would include the services performed by the vendor and what controls are used to monitor the vendor, but exclude the control objectives related to the vendor. If you wanted to communicate your vendors’ commitment to security to your clients, then your client would review your report for your controls as well as the vendor’s report for their controls.

The Inclusive Method

The inclusive method is utilized when the third party is in scope for your audit. The auditor would require assertions from management, visit them, involve them in the audit, ask them questions, and collect evidence. It’s important to note that if an auditor cannot obtain a written statement of assertion from a vendor, then the inclusive method cannot be used. The service organization’s description of its system would include the services performed by the vendor and include the control objectives related to the vendor.

Lately, there has been a greater focus put on vendor compliance management. The decision to use the carve-out or inclusive method usually comes down to one thing: your clients’ needs. To learn more about vendor compliance management or KirkpatrickPrice’s SOC 1 services, contact us today.

For a SOC 1 report, one of the controls that would be reviewed would be any controls that you’ve put into place in order to govern the third parties that you utilize. Your vendors might be a data center, or an application service provider, a managed IT provider, or some third party that may have critical access to client information or your critical systems. In the audit report, there are two methods for evaluating these sub-service organizations.

The first one is using the carve-out method. This would be appropriate, in our opinion, if your third party has undergone an audit themselves. We would request their audit report, we would review that as part of your engagement, and that subservice organization could be carved-out of your report. So, if you wanted to communicate what your subservice organizations are doing to your clients, then your client would review your report for your controls and the subservice organization’s report for their controls.

The other approach would be inclusive. This is where the third party is in scope for audit. We as the auditor would visit them, we would involve them in the audit, we would ask them questions, and we would collect evidence as part of the inclusive method.

This is one thing to be aware of as you prepare for your audit. Identify who your third parties are and whether they’ve gone through audits themselves, because the decision whether to carve out or apply the inclusive method would have to be discussed.

A gap analysis is designed to prepare organizations for an audit. If it’s your first time going through an audit (SOC 1, SOC 2, PCI, HIPAA, HITRUST CSF, etc.), KirkpatrickPrice strongly recommends a gap analysis. This is a process of discovery, a chance to find areas of weakness, and an opportunity to gain industry insight. A gap analysis is not an audit. This process will examine your internal controls in order to identify operational, reporting, and compliance gaps and to provide advice on strategies to manage control objectives going forward. A gap analysis is an efficient way to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

Through a virtual or onsite gap analysis, one of our experienced, senior-level auditors will spend time with your team and review policies and procedures, perform interviews of responsible personnel, and create a gap analysis report. If a gap analysis is performed, KirkpatrickPrice will document identified gaps and recommended actions in our Online Audit Manager and provide the raw findings. After an organization has remedied the non-compliant findings, KirkpatrickPrice will continue with the audit.

If it’s your first time going through an audit of a specific framework, let us be your guide. Contact us today for more information on the value of gap analysis and what KirkpatrickPrice’s process is.

One of the things that we offer to assist organizations in the beginning of their SOC 1 audit is a gap analysis. One of our experienced, senior-level auditors will come to your facility and spend time with you to review your policies, procedures, and practices, interview your staff, and quickly identify any gaps that must be addressed in order to proceed with the audit. Our firm provides audit services worldwide, so no matter where you are, this gap analysis can be a very valuable way to quickly analyze what you have in place and what you need to have in place in order to complete a SOC 1 audit.

What is an Assertion?

One of the things that management must provide to the auditor as part of a SOC 1 engagement is an assertion. What does that mean? What is an assertion?

In our everyday life, an assertion is a confident statement of fact or belief. In the world of auditing, assertions are still confident statements of fact or belief, but with a twist. Assertions are claims made by management regarding certain aspects of their business. An assertion is comprised of management’s description of the system that you’re providing as a service to your clients. This assertion will provide a detailed description of how the system is designed and operating, and the auditor must determine if this is fairly presented in the audit report. For a SOC 1 audit, assertions are related to a company’s financial statements.

Types of Assertions

Auditors rely upon a variety of assertions regarding a company. Assertions will fall into one of the following categories:

  • Assertions Related to Transactions – This type of assertion could be related to the occurrence of a transaction, the completeness of transactions, the accuracy in recording transactions, the cut-off date of accounting periods, and the classification of transactions.
  • Assertions Related to Account Balances – Assertions of this type focus on assets, liabilities, and equity balances at the end of a period. These assertions will be related to the existence of assets, liabilities, and equity balances at the end of a period, the completeness of the recording account balances in financial statements, the rights and obligations of the entity, and the valuation of assets, liabilities, and equity balances.
  • Assertions Related to Presentation and Disclosures – Assertions in this category highlight how information like transactions, balances, and other events are presented within financial statements. Assertions will relate to the occurrence of transactions and events disclosed in financial statements, the completeness of transactions and events disclosed in financial statements, the classification and understandability of transactions and events disclosed in financial statements, and the accuracy and valuation of transactions and events disclosed in financial statements.

Testing Assertions

Assertions must be validated by auditors during a SOC 1 engagement. If an assertion states that the salaries and wages of all employees have been accounted for, then an auditor will test to ensure this. Reviewing documentation is a major part of an auditor’s testing. An auditor, for example, might follow your organization’s procedure for checking the occurrence of transactions. If the result of the procedure doesn’t match the assertion, this is an issue.

More questions about SOC 1 audits? Want help demonstrate to your clients your commitment to security and compliance? Contact us today.

One of the things that management must provide to the auditor as part of a SOC 1 engagement is an assertion. The assertion is comprised of management’s description of the system that you’re providing as a service to your clients. This assertion will provide a detailed description of how the system is designed and operating, and the auditor must determine if this is fairly presented in the audit report.