So when it comes to thinking through how the auditor is actually going to conduct the audit, there's really only three types of audit techniques that we use to assess your organization.
1. Those are walkthroughs,
2. Inspection of evidence and
3. Observation of processes.
So that's literally the terminology that they use to describe what they're doing.
So I'll walk through those so you can you'll know how that applies to our organization.
So first walkthroughs are simply meetings with IT and talk about how the network is designed. Our network diagram and talk about data flow. They'll schedule a meeting with the engineering team and talk through product overviews, change control, SDLC.
These are literally interviews with the people on our team to understand how processes work and they'll hear directly from our team members.
However, an auditor is not permitted to rely exclusively on walkthroughs to perform an audit.
So SOC 2 requires that you look at evidence to also validate anything that someone said, which is our second process, an audit reuse.
And this is the most common process that an auditor will use to audit.
And there's a whole ecosystem of;
So if you've never been through an audit, what basically happens is the SOC 2 auditor will provide you a whole request list of type of information they need. Just like for SOC 2, there's usually at least 100 line items that'll include things like policies, configuration settings, system access lists, change tickets.
Then our team is going to go start grabbing screenshots, You're going to pull down the policy and you're going to upload it to the auditor's portal and the auditors will review all the evidence.
And then based on their review, they're probably going to come back with questions or want some clarification, or they may even have additional requests that they need to make to get through the audit.
So that's the most robust and time consuming piece of the audit, is that inspection of evidence part.
The third way an auditor will audit our organization is through observation. If you have an on prem data center or server closet, they might want to look at that data center to make sure it has physical and environmental controls there.
If you have a facility, they might inspect the locks on each door to make sure they're actually physically locked.
WHAT AUDITORS WRITE DOWN:
This is what the auditor is writing down. So for a SOC 2, you're going to have controls. You might have 50 or 100 controls.
So our example control here ;Is our company maintaining security policies and procedures. Policies and procedures are made available to employees and the company's policy document repository.
So then how will the auditor review that?
What will they do to test that control?
So there's two test procedures.
The auditor will inspect the company's security policies and procedures to determine if policies are documented and up to date. So they inspected the policy.
The second thing they do is inspect the company's policy document repository to determine if policies and procedures are made available to the employees and the company's policy document repository.
So to to audit test. They looked at the policy and they read it.
Then they made sure that that policy was actually available to all the employees. Through the document repository, like the control said, the thing that's going to impact you is the evidence that they're requesting to validate that.
So the two pieces of evidence that an auditor would request to validate this control is one, the information
security policy, and two, they're probably going to ask for screenshots of your document repository to validate that you actually have a document repository and the whole company has access to it.
So that's how one control might have two different evidence requests.
And if you have 50 or 100 controls, you can see how that might be 100 or 200 pieces of evidence.
So I hope that adds some clarity to what the auditor is actually doing and how they're testing us.
No comments:
Post a Comment