Testing Procedure

What SOC 2 compliance testing procedures does an auditor follow?

This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar manner), but the approach may be slightly different.

Example

Auditing firm X may determine that for a sample based control with a population of more than 300 instances, a sample of 20 should be tested. On the other hand, auditing firm Y may have a methodology stating that in order to determine a sample to be tested, the frequency, risk, and prior test results are to be applied. As you can see, both auditing firms will still test the control using a sampling approach, even though they differ slightly.

With this in mind, it is easy to identify that there are defined processes for the testing of different types of controls by different auditing firms. Furthermore, testing methodology is something that is reviewed and updated by the respective auditing firms on a regular basis. As information security aspects, results from previous audits, and worldwide standards change, so must the methodology to ensure that the most appropriate, accurate, and complete testing approaches are applied.

What are the testing procedures during the SOC 2 gap analysis process?

During any readiness phase of an audit, a gap analysis process should be used to identify where there is a mis-alignment or in some cases, an absence, of a process or procedure that is implemented to mitigate a risk. Essentially, where there are gaps. As we know, a control is implemented to address a gap, and so when considering this phase of any audit readiness process, the testing procedure that is most appropriate here would be inquiry and inspection. The reason being is that the purpose of this process is to identify the control, review what is currently in place, and determine where gaps exist. As such, whoever is managing and leading this process would inquire with the relevant control owners, and inspect evidence to determine its applicability to the control, as well as address the risk.

What internal testing procedures are performed to ensure that evidence is sufficient for an audit?

When performing an internal review, the testing procedures will build on from the gap analysis phase. During an internal audit process, the personnel responsible for conducting this process will essentially perform a ‘mini audit’. What this means is that they will review policies, processes, and procedures in place, and compare them to a defined control list, determining if there are any gaps. Additionally, the process may include selecting samples for some relevant controls, to determine if a consistent approach is followed in all instances.

When conducting SOC 2 compliance testing procedures, you may find that there are gaps present that require further investigation. It is important to understand them in detail before making any decisions about how to address these gaps.