Viewing entries in


Another AICPA Adavanced IT Audit School completed.

Dr. Tommie Singleton and I served as instructors for the recently completed  AICPA Advanced IT Audit School. The school was well attended and, as always, was interactive with loads of great ideas and comments. The SOC reporting process  is addressed during the school and brings insight and  information from all over the U.S.

One of the areas that was a topic of discussion was IT testing for SOC 1 (SSAE16) and SOC 2. Often IT is not tested properly and leaves the users of the SOC report (auditors, regulators, and user organizations) without a clear understanding of what was tested and the results. Basically the term "best practices" is used quite often to describe when a control does not meet a criteria. The important thing to remember is IT testing should be applicable to the user of the report and the services offered. Testing a policy DOES NOT complete a test of operating effectiveness of things like password parameters, firewall effectiveness, proper user removal, and many, many more. I often see referral to a policy as a test of effectiveness of logical access. While an adequate policy is important, it is only effective when the controls are set up to meet the policy requirements. The only way to know a control is effective is to TEST.

Another important point in SOC reporting is for service organizations to maintain evidence a control is working properly over the testing period (usually 12 months). This means things like log files should be maintained for more than 12 months to ensure evidence to support a conclusion the control operated effectively over the period. If you have any questions about adequate testing or audit evidence contact one of our team at Auditwerx.



SOC 2 Audit Guide

The purpose of a Service Organization Controls (SOC) engagement is to provide assurance that a service organization’s controls and processes are in line with the standards set by the AICPA (American Institute of Certified Public Accountants). A SOC 2 attestation is specific to service organizations that do not directly impact their users financial reporting. Companies that would qualify for a SOC 2 report include organizations in the information technology or data processing industry, such as hosting providers, Software-as-a-Service (SaaS) or cloud service organizations.

A SOC 2 audit quantifies the quality of the organization’s security, availability, processing integrity, confidentiality and privacy controls in accordance with the Trust Services Principles (TSP Section 100) over a given time period. It is important to note, that a service organization is not required to report on all principles. The AICPA describes the trust services principles below:

Security:  The system is protected against unauthorized access (both physical and logical).
Availability:  The system is available for operation and use as committed or agreed.
Processing Integrity:  System processing is complete, accurate, timely, and authorized.
Confidentiality:  Information designated as confidential is protected as committed or agreed.
Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

The process of a SOC 2 audit includes several duties that management has to complete during the process. These tasks include determining the type of engagement to be performed, drafting a description of the organization’s system, writing an assertion and representations, and providing the auditor the necessary supporting documents.. By identifying these steps up front, our audit team can develop a customized readiness plan to assist management in the preparation phase of the audit. A customized checklist details the timeline of the audit to be completed.

Often times a SOC 2 is  requested by a user organization that is looking to partner with a potential service organization. The report is used to evaluate the risk of a user organization’s data and information that is hosted with a service organization. Additionally, a service organization may request a SOC 2 audit of themselves for internal purposes such as improving controls and processes.

The benefits of a SOC 2 audit for an organization are numerous. Aside from having a detailed description of a service organizations adherence to the trust service principles, the report also includes the service auditor’s testing procedures. This report allows management to assess the strength of a potential provider at a detailed level.

A SOC 2 report can help an organization improve their business operations and become more efficient and provide assurance to companies when selecting vendors. The service auditor who performs the audit should have in-depth knowledge of information technology and security procedures. Auditwerx has performed hundreds of SOC 2 attestations for service organizations over the years. Our audit team recognizes the difference in reporting techniques for service organizations. Our exclusive focus on service organization audits has assisted numerous customers since 2005.

To learn how Auditwerx can improve your controls and procedures, contact us today.