Using the Work of Internal Auditors for a SOC 1 or SOC 2 Report

Evaluating the competence, objectivity, and systematic approach used by internal SOC audits

There are several factors that should be considered when determining whether a company’s internal audit function can be leveraged during a SOC 1 or SOC 2 audit:

  • the nature of the internal audit activities 
  • the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors 
  • the competence of internal auditors 
  • the systematic and disciplined approach of the internal audit function 

Activities of the internal audit function that may be relevant to a SOC 1 or SOC 2 examination include those that provide information or evidence about whether the system description is presented in accordance with the description criteria or whether controls were suitably designed and, in a type 2 examination, operating effectively.

The service auditor may determine that the SOC 1 or SOC 2 examination can be performed more effectively or efficiently by either: a) using the work of the internal audit function or b) obtaining direct assistance from internal audit function personnel. The phrase “using the work of the internal audit function” usually refers to using work designed and performed by the internal audit function, in accordance with an internal audit plan, to obtain evidence to support the achievement of the service organization’s control objectives (in a SOC 1 audit) or service commitments and system requirements (in a SOC 2 audit). This differs from work the internal audit function performs to provide direct assistance to the service auditor, including assistance in performing tests of controls that are designed by the service auditor and performed by members of the internal audit function under the service auditor’s direction, supervision, and review. When members of the internal audit function provide direct assistance, the procedures they perform are similar to work performed by the engagement team.

If the service auditor plans to use internal auditors to provide direct assistance, prior to doing so, the service auditor should obtain written acknowledgment from management of the service organization that internal auditors providing direct assistance to the service auditor will be allowed to follow the service auditor’s instructions and that the responsible party will not intervene in the work the internal auditors perform for the service auditor. This is usually done in an engagement letter.  When using internal auditors to provide direct assistance, the SOC 1 / SOC 2 auditor is required to direct, supervise, and review the work of the internal auditors. The service auditor fulfills that responsibility by (a) informing the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of their procedures and by (b) supervising and reviewing the work performed by internal auditors in a manner similar to the review of work performed by the firm’s own staff.

SOC Auditor Evaluation Of Internal Audit

If the service auditor determines that the work of the internal audit function is relevant to the SOC 1 or SOC 2 examination, and the service auditor intends to use the work of the internal audit function in obtaining evidence, or plans to use internal auditors to provide direct assistance during the examination, the service auditor should determine whether the work can be used for purposes of the examination by evaluating several factors. The factors the service auditor should evaluate include the following:

  • The level of competence of the internal audit function or the individual internal auditors providing direct assistance
  • The objectivity of the internal audit function 
  • The application by the internal audit function of a systematic and disciplined approach, including quality control

When evaluating competence, the service auditor should consider the attainment and maintenance of knowledge and skills of the internal audit function at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality. Consideration of factors such as the following may assist the service auditor with that evaluation:

  • Hiring policies
  • The adequacy of resources relative to the size of the entity
  • Technical training and proficiency of individuals
  • Knowledge of the areas being examined, including industry-specific or technical knowledge required to perform the work
  • Whether internal auditors are members of relevant professional bodies or have certifications that oblige them to comply with the relevant professional standards, including continuing professional education requirements

When evaluating objectivity, the service auditor should consider whether the internal audit function performs tasks without allowing bias, conflict of interest, or undue influence of others to override professional judgments. Factors that may affect the service auditor’s evaluation of objectivity include the following:

    • Whether the organizational status of the internal audit function, including the function’s authority and accountability, supports the ability of the function to be free from bias, conflict of interest, or undue influence of others (for example, whether the internal audit function reports to those charged with governance or to an officer with appropriate authority, or if the function reports to management, whether it has direct access to those charged with governance)
    • Whether the internal audit function is free of any conflicting responsibilities (for example, having managerial or operational duties or responsibilities that are outside of the internal audit function)
  • Whether those charged with governance oversee employment decisions related to the internal audit function.

When evaluating the application by the internal audit function of a systematic and disciplined approach, including quality control, the service auditor may consider the function’s approach to planning, performing, supervising, reviewing, and documenting its activities. Relevant factors to consider may include, among others, (a) the existence, adequacy, and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation, and reporting or (b) whether the internal audit function has appropriate quality control policies and procedures.

Based on an evaluation of the preceding factors, it is up to the service auditor to determine whether the risks to the quality of the work of the internal audit function or the individual, when using direct assistance, are too significant and whether it is appropriate to use any of the work of the function or individual as examination evidence.

SOC Auditor Coordination With Internal Audit

When the service auditor plans to use the work of the internal audit function, the service auditor may find it helpful to review the internal audit function’s audit plan and discuss with management the planned use of the work of the internal audit function as a basis for coordinating the work of internal auditors with the service auditor’s procedures. The audit plan provides information about the nature, timing, extent, and scope of the work performed by the internal audit function, as well as the work that is planned to be performed.

As a basis for coordinating the respective activities between the service auditor and the internal auditors when planning to use the work of the internal audit function, it may be useful to address the following:

  • The nature of the work performed
  • The timing of such work
  • The extent of coverage
  • Proposed methods of item selection and sample sizes
  • Documentation of the work performed
  • Review and reporting procedures

SOC Auditor Conclusions On Adequacy Of Internal Audit

When using the work of the internal audit function, the service auditor should perform sufficient procedures, including reperformance, on the body of work of the internal audit function that the service auditor plans to use, to evaluate whether such work is adequate for the service auditor’s purposes. The nature, timing, and extent of procedures the service auditor performs in evaluating the adequacy of that work depends on the service auditor’s assessment of the significance of that work to the service auditor’s conclusions (for example, the significance of the risks that the controls are intended to mitigate). Such procedures usually consist of one or more of the following:

  • Independent testing of items tested by the internal audit function (reperformance)
  • Independent selection of items from the population tested by internal audit and the performance of tests of a similar nature to those performed by internal audit to independently evaluate internal audit’s conclusion

Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity required to evaluate the effectiveness of the control. As the significance of these factors increases, so does the need for the service auditor, rather than the internal audit function, to perform the procedures, and conversely, as these factors decrease in significance, the need for the service auditor to perform the tests decreases.

Another relevant factor in evaluating the adequacy of the work of the internal audit function is the adequacy of the sampling procedures used and whether the sampling procedures were appropriate and free from bias (that is, whether all items in the population have the same opportunity to be selected). If the size of the sample used by the members of the entity’s internal audit function is less than the sample size the service auditor would have used, the service auditor generally would select additional items to achieve the required sample size. For example, if internal audit has selected a sample of 25 items for testing, the service auditor may determine that an additional 15 items need to be tested.

In conclusion, using the work of internal auditors in a SOC 1 or SOC 2 engagement can improve the audit(s) and drive efficiencies.  Proper planning and coordination between the SOC auditors and internal auditors is the key to making this approach successful.