Ever wonder what an auditor means when they say they’d like to get to know your entity and its control environment? Through this blog, we walk through why this topic is important to an auditor, what the procedures are to understand the entity and its environment, and how this information is used in compiling a SOC 2 report.
What is Obtaining an Understanding of the Entity and Its Environment?
Obtaining an understanding of the entity and its environment is how an auditor develops a framework which is then used by the auditor in determining the relevancy of internal controls in addition to assessing the risks of the environment.
An understanding of the entity provides insight into the inner workings of the environment. Developing an understanding will assist in determining the inherent risks and residual risks to be considered in a SOC 2. Throughout the audit, as the auditee asks questions, the auditor will be able to provide more direct guidance through recommendations by having a solid understanding of the entity.
Why is Obtaining an Understanding of the Entity and Its Environment Important For the Auditor?
The knowledge that is gained from understanding the entity and its environment will evolve into Section III and Section IV of the SOC 2 report. Section III of the SOC 2 report will provide a description of the platform or services including an overview of the organization. In Section III it’s important to provide the reader of the SOC 2 report a thorough insight into the services provided, the structure of the organization, and the relevancy of data, software, and infrastructure. An understanding of the entity will also be integral in Section IV of the SOC 2 report, as the auditor will provide a written description of the procedures used to perform tests over internal controls. The procedures performed are developed through the auditor’s understanding of the entity and its environment.
Services Provided: When obtaining an understanding of an entity and its environment an auditor will gauge the risk of a company based on several attributes. The industry in which an entity resides will have inherent risks depending on the operations of the company. A manufacturing company will have different risks and goals than a SaaS (software as a service) company. Regulatory requirements can shift between industries as well, which can impact the scope of an audit and the compliance standards that the entity may need to meet.
Subservice Organizations: Part of the entity’s environment is its association with third-party companies. If the entity relies on a third-party organization for the continuity of its business, then the third party becomes relevant to the entity’s audit. Taking an inventory of your third-party vendors is helpful in establishing which third parties are critical to the audit. Once a third party is deemed critical the entity and its auditor will need to assess which CUECs (Complementary User Entity Controls) are relevant to the entity itself. Additionally, by understanding the entity’s own environment, the auditor can determine if CUECs need to be included in the entity’s SOC 2 report for its own customers.
People, Software & Infrastructure: Determining if the company is centralized or decentralized will provide insight into how the organization is structured, how communication occurs between individuals and how departments are aligned for the purpose(s) they serve. The auditor will also ask questions about the system structure. The risk of a company and the relevant internal controls will depend on if a company uses a cloud platform versus storing servers in their own office building, for example.
Depending on the entity and its environment, different combinations of SOC 2 trust service criteria may be relevant. An entity may want the availability criteria included in their SOC 2 if the services provided to customers are significantly affected by downtime. If the entity has access to customer or client data and PII (personally identifiable information) then the confidentiality criteria may be relevant to be in scope for the SOC 2. HIPAA compliance could also come into scope for entities that store health-related data.
What are the Procedures an Auditor Can Use to Obtain an Understanding of the Entity and Its Environment?
Facilitating meetings or walkthroughs between the entity and its auditor provides a foundational understanding of the entity and the design of its environment. As risks and relevant controls are determined and discussed, an auditor will perform an observation of relevant processes and an inspection of the corresponding evidence. The observation and inspection will gauge if the internal control is implemented and operating effectively within the environment.
To gain an understanding of the systematic structure of the environment, it’s beneficial to provide auditors a network or data flow diagram. A network diagram should focus on the infrastructure and hardware of an environment which can include the hardware’s geographical location. The geographical location can impact an audit as countries can hold different regulatory standards. A data flow diagram should focus on applications and tools which are used to process the entity’s data and evidence where the data is transmitted into and out of the company’s environment.
Policies and procedures will also provide insight into the processes and should be specific enough to not only assist the audit in understanding the entity but will also assist newly onboarded individuals to provide an understanding of the entity to them as well.
Can the Nature of an Entity Change Over Time?
Yes. This is why auditing is a continuous process and this is why walkthroughs are performed every year in order to gather and update the auditor’s understanding of the environment. Entities organically change depending on market conditions, advances in technology, and events that are out of our control – such as a pandemic! In 2020, with the COVID pandemic spreading across the globe, many clients changed their relationship with physical security by ceasing to use brick and mortar establishments. This in turn modified their SOC 2 and internal controls. Additionally, with more users working remotely new risks emerged that needed to be considered.
As your entity morphs over time the ongoing monitoring activities, such as audits and risk assessments, are beneficial to establish that the entity remains in compliance.
Summary
In summary, it is important to be prepared for your auditor to learn about your entity and its environment and how to efficiently provide data and answer the expected questions. To learn more about the SOC 2 audit services offered at Linford & Co and gain a better understanding of the internal controls evaluated as part of the audit, contact us.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.