Listen to: "Auditing Exceptions and How They Might Impact Your SOC Reports"
In today’s fast-paced, intricately interwoven and increasingly global business landscape, it is more vital than ever for businesses to work together to ensure value and security meet mutual and respective goals. With each associated organization working under its own unique philosophies and internal systems, it can be challenging keeping things running smoothly, which makes audits incredibly important.
The Association of Chartered Certified Accountants (ACCA) maintains a view of audits as having the power to instill trust and confidence in a company’s financial statements. This view certainly extends to the world of reviewing computing systems and internal control audits, as well as a host of compliance, risk and assurance matters.
While many organizational leaders may cringe at the idea that their auditor has uncovered an audit exception—or even a list of audit exceptions—during the auditing process, there is no need to panic over these deviations. When working with your auditor, his or her candor about the state of your internal controls over financial reporting or the Trust Services Criteria is essential to helping you make corrections as quickly as possible.
We thought we would review a few key types of audits, the definition of audit exceptions and some different types of audit exceptions you might encounter.
What Are Some Different Types of Audits Your Business May Need to Perform?
While our team focuses on audits related to System and Organization Control (SOC) matters, such as those involving financial and internal controls, there is a long list of audits or reviews that you may need to perform for your organization during the life of your business.
Here are the two primary types of audits that accounting firms like ours might handle for you:
- SOC 1 for financial reporting and SOC 2 for internal controls reporting
- Compliance regarding matters that might include GDPR, HIPAA, PCI DSS, GLBA, NERC CIP, MARS/SOX and CCPA
Any of these specific audits, along with other audit types not listed, may result in the discovery of audit exceptions that you must then manage.
Why Are Audits for SOC 1 and SOC 2 So Vital to Businesses?
As busy companies continue to outsource portions of their non-core workload to third party organizations, the role of service organizations becomes increasingly crucial to the modern business model.
Service organizations provide services such as cloud computing and storage, Software-as-a-Service (SaaS), Data-as-a-Service (DaaS) and payroll management. For the original business, or user entity, this ultimately means that the service organization has access to at least a portion of the user entity’s data, leaving customer data and intellectual property vulnerable. A service organization must perform regular audits to protect their user entity’s interests, along with their own reputation for diligence and trustworthiness.
While your service organizations are most likely reliable—you will certainly have vetted them and created a mutually agreed-upon service agreement for each service organization, detailing security matters—you cannot leave the security of your valuable data to chance while in the custody of a third party. Accidents, oversights and exceptions can and do happen. Audits can help you find and correct them before they turn into risks, vulnerabilities and data breaches.
What Happens During a SOC Audit?
During your SOC audit, your auditor will gather the necessary evidence to assess and answer certain questions that ultimately provide him or her with reasonable assurance to support an unqualified or qualified opinion to include in the audit report. The process of gathering evidence itself is technically called auditing and includes a few key activities:
Talk to relevant personnel, such as management, supervisors and staff to obtain necessary information.
Inspect Documents and Records.
Ensure that the documents and records are timely and accurate for the auditing period.
Observe Activities and Operations Being Performed.
Watching how staff manages internal controls and the data in their care is an important step in the process.
Test the Controls.
This step may need to be performed more than once to obtain the desired results, varying sample size and different controls.
All together, these activities are the heart and soul of your SOC audit procedures.
What Are Audit Exceptions?
Audit exceptions are merely discrepancies or deviations from the anticipated result of testing one or more of the service organization’s control activities. Each control within the service organization’s description of the audit must undergo testing by your auditor. He or she must verify and validate that the given manager’s description is accurate and that controls have been suitably designed and are operating effectively to achieve all related control objectives or criteria.
Essentially, an audit exception is any finding that falls outside of the expected results of an audit after going through the necessary steps.
What Are Some Audit Exceptions You Might Encounter in a SOC Audit?
Audit exceptions may include omissions. It may also be intentional or unintentional, or qualitative or quantitative. The auditor must comb through all the information to get to the bottom of these possibilities and more. His or her primary requirement is to ensure that a service organization’s description is accurate and includes any design and operating discrepancies in the SOC report. Auditors do not have the option of omitting testing exceptions from the report.
Here are three basic types of exceptions that your auditor may find during a SOC audit.
Deficiency in the Design of a Control.
A design deficiency occurs when a control needed to achieve the control objective has not been properly designed. It must be reported even if the control operates as designed to achieve the control criteria or objective.
Misstatements refer to an error or omission in management’s description of the service organization’s services or system.
Deficiency in the Operating Effectiveness of a Control.
Any time that a properly designed control does not operate as This might also come up if the person performing the control does not have the proper authority or competence to perform the control objectively.
Of course, encountering an audit exception is not ideal, it does not necessarily mean that the audit has failed or that a control has failed. Take comfort in knowing that SOC reports often have some exceptions and that a sharp auditor will catch them and help you correct them.
We Can Help You Avoid and Manage Audit Exceptions
Are you concerned about an upcoming SOC audit? Our I.S. Partners, LLC. team is brimming with expert auditors who can help you prepare for and perform your upcoming audit with confidence. We can help you identify any audit exceptions or other problems to help identify them and put you on the road to SOC success for years to come so you can fully protect your clients and your brand.