As a company preparing to undergo a SOC audit for the first time, one of the most confusing and time consuming aspects of the process can be determining controls in place to be tested. While your auditors will be available to help walk you through this process, having a good understanding of how to make the determination between your companies procedures and what can be considered a control can make the planning to testing stages of the audit go much smoother. Many times procedures are mistaken for controls early in the planning process and this misunderstanding often ends up impacting the time frame established for testing in a negative way. When determining whether or not a policy or procedure can be considered a control, ask yourself if you can answer what, who, when and how about the procedure in place.
- What does this procedure do to ensure the operating effectiveness of the company? Does it help prevent fraud or ensure a segregation of duties; does it help ensure transactions are processed timely or that data is entered accurately?
- Who is responsible for the process? Is there a hard stop in the system that prevents a certain action from taking place or is there a secondary review in place to verify information has been captured correctly? When does this procedure take place?
- What is the frequency of the review or are there systematic flags in place to alert personnel of upcoming deadlines?
- How can the procedure be tested? Are there configuration settings or documented reviews that can be provided as evidence?
When creating the controls for your organization, keep in mind that evidence is proof. You want to make sure that you can provide evidence for any control you’ve identified. If there is a reconciliation process or a secondary review of a file, it’s not enough to simply say it happens. In order to consider that process a control, it should be documented and that documentation can be supplied as evidence to your auditors. It can become difficult to support a control is operating effectively if there is no evidence to be supplied because the control is really just a procedure. If you ask yourself the four questions above, you can ensure the controls identified are in fact controls, better educate your auditors on the types of evidence you can provide and be on your way to a successful and smoothly executed audit.
Contact us with any questions that you have regarding controls or procedures.