What is Upstream and Downstream Testing in Auditing?

Audit testing procedures

There are many different types of testing that are available for completing audit procedures. Specifically for SOC 1 and SOC 2 engagements, our test procedures for each control in the report will include inquiry, inspection (or examination), observation, reperformance, or a computer-assisted audit technique (CAAT).

Some controls that we test will include more than one of these methods of testing. For more information on the types of testing methods, please see our article titled Five Types of Testing Methods Used During Audit Procedures.

Within these five methods of testing, there are various ways to go about the completion of the test. To ensure we are getting the coverage we need and assurance the control is operating, we complete “downstream” and “upstream” testing procedures.

In this post, we explain what the concept of downstream and upstream testing is in the context of an easier and more straight forward audit area to test — Physical Access.

One audit objective for physical access testing that is easy to understand is confirming that the right people have the right access. This sounds very basic, but confirming this is a little more involved.

Below we will walk through testing the appropriateness of physical access using downstream testing and upstream testing, which is looking at access from both directions; who has access right now and is it appropriate, who used their physical access during the period, and was that use of access appropriate?


Downstream testing

Downstream Testing – Physical Access Example

For physical access testing, the first step involves obtaining a list of active key card or badge holders and selecting a sample. Sampling should be based on the sampling guidance noted within the AICPA Audit Sampling Guide (for further information on sampling refer to our article, Audit Sampling in SOC Examinations). The testing will then determine, with the assistance of the client and review of provided documentation, whether the active key card holders were:

  1. duly authorized when initially granted access, and…
  2. whether their access is still authorized at the time of testing (e.g., a current and authorized employee, contractor, vendor, etc.).

This method of testing seems easy, right? Yes, this downstream audit procedure is the easier part of the test. The next audit procedure (“upstream” testing) is slightly more difficult.


Upstream testing

Upstream Testing – Physical Access Example

The upstream audit procedure requires that the activity log for the period being reviewed is obtained from the key card system that includes all key card or badge activity for all holders. Even the activity for those holders that no longer have an active key card or badge needs to be included for the purposes of this testing.

An unmatched query should be run against the list of active key card or badge holders to determine which activity log entries do not match to a current key card or badge holder. Again, a representative sample of these entries should be made and then the auditor will work with the client to figure out if that access was appropriate at the time it occurred. The activity could be for a previous employee not on the current key card or badge holder list, or there could be a number of other explanations.

There are many other aspects to physical access testing not covered in this blog post, such as termination testing (e.g., employee, contractor, client, vendor), an inspection of key card stock, accounting for assigned key cards, and last accessed date analytics. Suffice it to say that audit testing is multi-faceted and more complex than the simply stated objective of the right people having the right access.


When do you use upstream and downstream testing?

When do you use Downstream and Upstream Testing?

Not every control tested requires downstream and upstream testing. Some controls can be tested using inspection or examination and reasonable assurance can be reached easily through that method and no further testing is required.

As controls are being identified and testing methods are being determined, it is important to consider if the control can be and should be tested using downstream and upstream testing. Just like the physical access example above, this method can also be applied when looking at logical access.


At Linford & Company, for all of our engagements, we strive to ensure that we are performing the appropriate testing procedures for all controls we are testing, as well as complying with the guidance set forth by the AICPA. If you would like additional information about testing methods or any of our services, please contact us or click on the following links: SOC 1, SOC 2, HIPAA audits, HITRUST, Royalty Audits, FedRAMP.