During a SOC 1 or SOC 2 engagement, the auditor uses four main techniques to test each control in place at the service organization: inquiry, observation, examination or inspection of evidence, and re-performance. These tests help the auditor develop an opinion on the suitability of the design and the operating effectiveness of controls in place at the service organization.
Inquiry: Simply, the auditor asks appropriate management and staff about the controls in place at the service organization to determine some relevant information. This method is often used in conjunction with other, more reliable methods.
Observation: Activities and operations are tested using observation. This method is useful when there is no documentation of the operation of a control, such as observing that a security camera is in place or observing that a fire suppression system is installed.
Examination or Inspection of Evidence: This method is used to determine whether or not manual controls are being performed. For instance, are backups scheduled to run on a regular basis? Are forms being filled out appropriately? This method often includes reviewing written documentation and records such as employee manuals, visitor logs, and system databases.
Re-performance: This method is used when the other four methods combined fail to provide sufficient assurance that a control is operating effectively. This requires the auditor to manually execute the control.
The results of these testing procedures are documented within the final report and include any relevant exceptions to the controls.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.