Cue Internal Audit – Stage Right

NOTE: Schellman has since updated and expanded on this information in a more recent article found here.

Internal audit teams can be leveraged for several tasks required throughout and before the SOC examination.  In theory, a strong and resourceful internal audit team should lead to a flawless SOC examination experience by applying a continuous auditing approach.  Far too often, however, internal audit teams are not performing continuous auditing, nor are they integrated into the SOC examination in order to effectively achieve a seamless engagement.

The thought of an external audit team barging through the lobby, poring through your private documents, interviewing already overworked control owners, and essentially issuing a report that includes results of failed controls can rattle even the most prepared of teams.

That being said, it shouldn’t--let me explain why.

What if I told you SOC examinations did not have to be stressful whatsoever?  Especially since chances are the company you work for already has the remedy to this common source of stress—they’re just not utilizing it to the best of its ability.  The secret?  Your internal audit team.

"your internal audit team is present all year long and their primary responsibility is to verify that controls are operating effectively"

Who has knowledge of and understands the controls of a service organization better than the internal audit team?  Not many people.  As such, these internal audit members should not only be prepping for upcoming examinations (in this case, SOC), but they should also be continually following up with control owners to ensure the controls being reviewed are functioning without error. This is essential.  While external SOC examiners are only on-site for a few days out of the year, your internal audit team is present all year long and their primary responsibility is to verify that controls are operating effectively.  When considering those timetables, it makes sense that the odds of locating control exceptions largely favor the internal team that is on-site all year over the external SOC examiners who are only present a few days.  Moreover, upon their location, these testing exceptions could be resolved at the time of their discovery by internal personnel before the external team even arrives on site. Therefore, there is serious advantage in a strong internal audit team that ensures the foundation of an organization’s control infrastructure is operating effectively—more reassurance year-round, while eagerly anticipating the external audit team’s confirmation.

Continuous auditing is the practice of performing auditing activities on a more frequent basis—something internal teams are well-positioned to perfect.  Internal audit members should be trained and encouraged to frequently visit and revisit controls on a periodic basis to ensure they are operating effectively.  By doing so, they are preparing for a successful SOC examination experience.  Far too often, the findings noted within SOC reports could have, and frankly should have, been noted and resolved prior to the external auditors arriving on site--this includes oversight, which is, in my experience, the most common cause of control exceptions.

Additionally, internal audit team members are great resources to have present during a SOC examination.  Due to their frequent interaction with staff and their understanding of the control infrastructure at the service organization, internal audit members act as great liaisons during SOC examinations because of their ability to organize meetings with true control owners. Let me reemphasize the phrase “true control owners”--internal audit members have a tendency of knowing who the “true control owners” are, as they’ve probably already followed up with the “wrong control owners” while performing their day to day responsibilities.  Use this information to your advantage. By using internal auditors as a liaison during SOC examinations, service organizations can largely reduce the on-site disruption caused during the external review by establishing a point-person with the knowledge and ability to efficiently organize meetings.  Nobody wants external auditors wandering aimlessly through halls looking for control owners--help them, and you help you.

Finally, internal audit’s job is to audit – internally.  This means your internal audit team gets a lot of face-to-face time with key control owners who they have probably established a decent working relationship with over time.  They understand certain out-of-the-box personalities and have much better insight of what is occurring day-to-day than the external audit team--use this all to your benefit.  Your internal audit team members are experts when it comes to your people because of how frequently they are required to interact with them.  They understand the various workloads being taken on by different team members and can assist in delegating information request items to other personnel if necessary.  This is a huge help for both your other internal staff, as well as the external auditors who eagerly want to meet and obtain evidence from your staff.  Having an internal audit team at the ready to distribute responsibilities and reduce the potential bottleneck of evidence could be the factor that leads you to a successful SOC examination.

"a strong and resourceful internal audit team should lead to a flawless SOC examination experience"

As I stated earlier, a strong and resourceful internal audit team should lead to a flawless SOC examination experience every time. While it’s impossible to ensure a perfect audit, but an internal audit team that has been appropriately integrated and trained in their responsibilities can, and should, make the examination process a pleasant experience for all parties involved.  By periodically reviewing the controls that are in scope and ensuring that they are operating effectively, your internal audit team essentially preps for the SOC examination all throughout the year.  Paired with their knowledge of “true control owners” and their ability to coordinate meetings and information request items with key personnel, your internal audit team is an invaluable resource that is already in place and ready to be utilized.  Train and use them wisely, and you shall certainly notice a difference during your next SOC examination.

About the Author

Edward Delgado

Edward Delgado is a Senior Associate with Schellman based in Miami, FL. Prior to joining Schellman, Edward worked as a consultant at Deloitte and a Senior Associate at PWC, with his experience primarily focused on SOX Readiness, IT Risk Mitigation, and SSAE 16 engagements. Edward also led and coordinated various other projects, including internal audits with a focus on business processes, and regulatory compliance audits overseas within the financial services and banking sectors. Edward is now mainly dedicated to performing Service Organization Controls (SOC) examinations.

More Content by Edward Delgado
Previous Article
EnergyTech Insights Update: New Mapping of CIP to NIST CSF
EnergyTech Insights Update: New Mapping of CIP to NIST CSF

Schellman's Grayson Taylor shares an overview of the new mapping of NERC CIP Reliability Standards to NIST ...

Next Article
EnergyTech Insights (Part 1): Partly Cloudy
EnergyTech Insights (Part 1): Partly Cloudy

Cyber-attacks are increasing in frequency and magnitude, and the utilities sector is not immune. In part 1 ...


First Name
Error - something went wrong!