Category: Audit


The risk within self audit risk assessments

No one knows the risks inherent to an asset better than those who work with the asset. That is why self audit has been around for years. It allows the audit team to get to the hidden details, while distributing the discovery phase of the workload to outside of the audit team. When I first started working with self assessment audits, the sessions were typically moderated by an experienced risk assessor. The moderator would ensure likelihoods and impacts were accurately recorded and (s)he would use an auditor’s experience to help interpret and guide the answers. Since then, Risk and Audit teams have been placed under increasing pressure to do more with less. I have noticed a trend to remove the moderator for the self-assessments, and take the self-assessor’s word...


Does my non-US business need a SOC 1, 2, 3 or SAS70 report? ISAE 3042 and ISO 27001 perform similar functions

“Our US based client has asked for our SOC 2 audit report! I haven’t heard of one! What is it? What do I do?” Service Organisation Controls (SOC) are a US-centric accounting standard, designed to make an assessment of the controls an organisation has for its information (SOC 1), services impacting availability, integrity and confidentiality (SOC 2) and trust services (SOC 3). SOC was introduced by the American Institute of Certified Public Accountants (AICPA), and each report must be issued by a certified AICPA. In a nutshell, SOC is a US audit report, used by US businesses, issued by a US-certified auditor. If your organisation is outside of the USA, this report might be irrelevant to your local business context and may be difficult to come by due to the report being issued by an AICPA. Difficult, but not impossible....