SOC 1 SSAE 18 sates that if the service organization has an "internal audit function", it is the responsibility of the service auditor to understand the role, responsibilities, and activities of the internal audit for determining its applicability and relevancy for a SOC 1 SSAE 18 engagement.
The "internal audit function" for SOC 1 SSAE 18 compliance can best be described simply as the personnel within a service organization that perform duties of an internal auditor. Common internal audit functions can include ensuring that the service organization’s daily operational activities, safeguards, processes, and procedures are functioning properly, which can be tested and monitored by the internal audit function through a number of procedures.
Additionally, SOC 1 SSAE 18 also allows the internal audit function to include other personnel who perform functions similar to that of internal auditors, with these other personnel being actual service organization employees or even external, third-party entities.
Assessing an Organization's Internal Audit Function - What you Need to Know
With that said, the existence of an internal audit function must first be identified within a service organization, and if one is present, the service auditor will need to determine the adequacy of the internal audit function itself for a SOC 1 SSAE 18 engagement. This would require evaluating the following conditions:
- The objectivity along with the overall competency of the group (technical and professional competency.
- Is due professional care used when the work is being performed by the internal audit function?
- Can the internal audit function of the service organization effectively communicate with the service auditor in a transparent and professional manner for helping facilitate the SOC 1 SSAE 18 engagement?
Additional Points to Note about an Internal Audit Function
If the service auditor can answer yes to these questions and gain an acceptable level of confidence regarding the internal audit function, then the service auditor should then evaluate the following conditions:
- What is the nature and scope of the work to be performed by the actual internal audit function?
- How significant is the work to the actual service auditor's findings and conclusions for a SOC 1 SSAE 18 engagement?
- What degree of subjectivity is to be used in evaluating the evidence (interviews, inspections, documents, and other supporting evidence) to support the actual conclusions
Relying on Work Performed by Internal Auditors
And if the service auditor is to actually rely on the work performed by the internal audit function, then the service auditor will have to perform procedures on the work for determining its applicability, relevancy, and adequacy in regards to a SOC 1 SSAE 18 engagement. Thus, the service auditor will have to determine if the actual work was performed by the internal audit function, properly supervised, reviewed and documented accordingly, along with sufficient evidence to draw conclusions, for which these conclusions are appropriate and acceptable. Lastly, any exceptions found and disclosed by the internal audit function must be resolved. If your organization is seeking SOC 1 SSAE 18 compliance, contact a well-qualified, PCAOB CPA firm who specializes in SOC 1 SSAE 18 engagements.
North America's Leading Provider of Fixed-Fee SOC 1 SSAE 18 & SOC 2 Audits - Let's Talk!