During a SOC 1 or SOC 2 engagement, the auditor uses four main techniques to test each control in place at the service organization: inquiry, observation, examination or inspection of evidence, and re-performance. These tests help the auditor develop an opinion on the suitability of the design and the operating effectiveness of controls in place at the service organization.
Inquiry: Simply, the auditor asks appropriate management and staff about the controls in place at the service organization to determine some relevant information. This method is often used in conjunction with other, more reliable methods.
Observation: Activities and operations are tested using observation. This method is useful when there is no documentation of the operation of a control, such as observing that a security camera is in place or observing that a fire suppression system is installed.
Examination or Inspection of Evidence: This method is used to determine whether or not manual controls are being performed. For instance, are backups scheduled to run on a regular basis? Are forms being filled out appropriately? This method often includes reviewing written documentation and records such as employee manuals, visitor logs, and system databases.
Re-performance: This method is used when the other four methods combined fail to provide sufficient assurance that a control is operating effectively. This requires the auditor to manually execute the control.
The results of these testing procedures are documented within the final report and include any relevant exceptions to the controls.