How Do Auditors Perform Tests of Controls?
In order for an audit firm to be able to provide reasonable assurance and issue an opinion on an organization’s compliance with SOC 1 or SOC 2 audits, they have to test the internal controls that each organization has in place and verify that they are working as intended. To do this, auditors typically perform three types of tests of controls: interviews, reviews, and observations.
- Interview: Interviews play a critical role in an assessment because auditors are able to talk to an organization’s employees – the people responsible for effectively implementing your internal controls. During the interview, auditors will want to find that an organization’s employees have an understanding of the purpose of the controls they’re responsible for and how they have been trained to effectively implement them.
- Review: During an audit, auditors need to ensure that organizations are doing what they say they’re going to do, and to verify that this is happening, they’ll want to review documentation, such as policies and procedures. For example, if an organization’s policies and procedures say that when they hire employees, they are put through initial security awareness training and then are to take courses annually thereafter, an auditor will want to see documentation, such as completion reports, to ensure this is taking place.
- Observation: While interviewing and physically reviewing documents allow auditors to test an organization’s internal controls, observing how those controls are implemented is also a way auditors can verify that controls are implemented and functioning as intended. For example, if your organization claims that you use antivirus software that updates every day, every four hours, an auditor would want to observe that that is taking place.
In your audit report, you’ll see a section that’s titled “Auditor’s Test of Controls.” This is the section where we disclose what we did and what we used to base our opinion upon. We’re trying to achieve that level of reasonable assurance and our tests help us to get there. There are three types of tests that we typically perform here at KirkpatrickPrice: review, observation, and interview. Interview is where we talk to your employees, the people who are responsible for your controls. We make sure that they understand the purpose of the control and what it is that they’ve been trained to do to execute their tasks at their job. Review is usually reviewing documentation. If you state that you have a policy that governs your information security practices or you have a policy that governs your hiring and termination practices, you have training materials that your employees follow after they’re hired and annually thereafter, we will review evidence of that documentation and those policies to make sure that those things are in place, enforced, and updated on an on-going basis. Finally, we have observation as a test of control. This is where you might say to us, “We have put this system in place to monitor the health of our network. We have this software development lifecycle that our developers follow. We have antivirus installed and it updates every day every four hours.” These are things that we will observe in order to make sure the controls are actually there, in place, and operating effectively. Anytime that we perform these tests and we find something that’s not working the way it’s supposed to, we bring those issues to management and let you know about those things immediately, so that you can remediate anything that’s critical in nature.