Type II engagements (for both SOC 1s and SOC 2s) require walkthroughs and testing of the controls in place at the service organization to be able to opine on the suitability of the design and the operating effectiveness during the period under review. Each control objective has a number of supporting controls that are walked through and tested, and this is accomplished using a variety of testing methods.
There are four main methods to walkthrough and test each control in place at the service organization. These methods include (listed in order of complexity): inquiry, observation, examination or inspection of evidence, and re-performance.
- Inquiry: Simply, the auditor asks appropriate management and staff about the controls in place at the service organization to determine some relevant information. This method is often used in conjunction with other, more reliable methods. For example, an auditor may inquire of management if visitors to the data center are escorted at all times if the auditor is not able to observe this activity while on site. No control objective should ever be supported by controls only tested through inquiry procedures.
- Observation: Activities and operations are tested using observation. This method is useful when there is no documentation of the operation of a control, such as observing that a security camera is in place or observing that a fire suppression system is installed.
- Examination or Inspection of Evidence: This method is used to determine whether or not manual controls are being performed. For instance, are backups scheduled to run on a regular basis? Are forms being filled out appropriately? This method often includes reviewing written documentation and records such as employee manuals, visitor logs, and system databases.
- Re-performance: This method is used when the other three methods combined fail to provide sufficient assurance that a control is operating effectively. This method of testing is the strongest type of the four. This requires the auditor to manually execute the control, such as re-performing a calculation that a system automatically calculates.
Samples of populations are selected for testing based on the type of test being performed (i.e., a test of one would be completed for an automated control using re-performance, but a sample of the population would be selected for an inspection control), the population size, and the level of precision we want to achieve.
If, during testing, the auditor encounters an error in a test of controls, they will expand the sample size and conduct further testing, or perform additional tests. If additional errors are found, the auditor will consider whether there is a systematic controls problem that renders the controls ineffective, or if the errors appear to be isolated instances that do not reflect upon the overall effectiveness of the control in question.
The results of these testing procedures are documented within the final SOC 1 section, “Independent Service Auditor’s Description of Tests of Controls and Results” or the SOC 2 section, “Independent Service Auditor’s Description of Tests of Controls, Control Criteria, and Results.” The type of test performed and the results of testing are listed with the control. If there are findings listed in the report, a management response is also included.