Understanding Your SOC 1 Report: Audit Risk, Control Risk, and Detection Risk
Driven by Risk
An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive our audits so that we can give you reasonable assurance.
What is Audit Risk?
In an audit of financial statements, like SOC 1 audits, audit risk is defined by the PCAOB as, “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.” What are the chances of an audit firm’s opinion being incorrect? What are the chances something gets overlooked? This all factors into the concept of audit risk.
What is Control Risk?
What are the chances that your controls are not operating effectively? What are the chances that the failure of a control lead to material misstatement in financial statements? This is control risk. If you rely upon a person to monitor something, there are inherent limitations. Why? Because people make mistakes. The more that people are involved, the higher the control risk. But, there’s control risk related to automated processes too, because systems fail. There’s always some level of control risk, but an auditor will design tests to help us have reasonable assurance that controls are in place and operating effectively.
What is Detection Risk?
Will an auditor not detect something that is in existence? This is detection risk. In relation to SOC 1 audits, the PCAOB defines detection risk as, “The risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, individually or in combination with other misstatements. Detection risk is affected by the effectiveness of the substantive procedures and their application by the auditor.” An auditor can reduce the level of detection risk by designing tests of policies and procedures and applying sampling to help give reasonable assurance that a control is in place and operating effectively.
As you work with your auditor on your SSAE 16 (now SSAE 18), one of the concepts to be aware of would be related to audit risk, control risk, and detection risk.
As an audit firm, we’re always concerned about whether or not our opinion is accurate about the service organization that we’re auditing; that’s the concept of audit risk. What are the chances that our audit will be incorrect? That we will miss something?
Control risk is the chance that your control is not operating effectively. The more that people are involved, the higher the control risk. For example, if you rely upon a person to monitor something or do something, there are inherent limitations to that because people make mistakes. There are also inherent mistakes to automated practices because systems fail. There’s always some level of control risk and the auditor will design tests in order to help us to have reasonable assurance that the control is in place and is operating effectively for the most amount of time possible. That relates to detection risk.
What are the chances that we, in our audit, won’t detect something that is in existence? The auditor will design tests and will apply sampling in order to get a good snapshot of the control being in place and operating effectively, so that we can be reasonably assured in our opinion that we provide to you, the service organization. In turn, your clients will rely upon that opinion, which is why the audit has to be properly scoped, properly conducted, and it’s always being driven by these elements of risk that I’ve described.