List of contents
How Do SOC Auditors Determine Which Testing Method to Use?
Download 437.69 Kb.
|
AUDIT
- Bu sahifa navigatsiya:
- How Has SOC Testing Changed in Keeping with Technology
|
How Do SOC Auditors Determine Which Testing Method to Use?
The way that controls are tested for a SOC audit is always situation-based, according to Joe. Usually, the nature of the control determines how we test. For example, firewalls are always observed; that’s just how they need to be tested. “Inquiry is always a part of the testing process too; it just naturally happens, but we wouldn’t consider the information reliable enough to take it at face value. Whenever inquiry alone is the testing method, it should be considered a deficiency. The information is not very substantial” That’s why auditors working for credible firms—like I.S. Partners—always try to back up these weaker testing methods with another type of evidence. How Has SOC Testing Changed in Keeping with Technology? One recent development in our field is the move towards automation of the auditing process. Auditors have been largely responding to this increased demand. Automation has valuable advantages for audited entities because it can streamline evidence collection and make auditing smoother. “But what a lot of startups and companies that are new to compliance don’t always understand is that SOC testing and reporting really require a certified auditor. This is a huge issue in the market currently…Vanta, and automated audit tools like that, don’t do testing. Plus, what the tools tells you what to expect may not be what the auditor will ask of you during the actual audit. There’s a lot of due diligence that still needs to be done even if you sign up with one of these tools. Automated tools might be helpful for audit preparation, if an organization has an internal person who knows what he/she is doing. But to actually pass a SOC audit, the company needs to be able to describe controls or functions of your environment in detail which can present major challenges if your organization doesn’t have that information on hand. There is no cookie-cutter approach; passing an audit requires real monitoring and a real control environment,” explains Joe. Another new development is the migration to cloud computing. “As our clients rely more heavily on cloud environments, the amount of testing related to physical access has largely decreased. As the responsibility for physical access shifts to CSPs, our clients can focus more on vendor monitoring. We remind our clients that they are still responsible for their data stored in the cloud and help them set up reliable ways of monitoring their third-party cloud vendors.” Download 437.69 Kb. Do'stlaringiz bilan baham: 
|