Key Audit Criteria for Certification Systems

🔍 Understanding Trust Principles in Audit: Why They Matter More Than Ever:- In today’s digital-first environment, trust is no longer assumed. It is audited, tested, and evidenced. In assurance engagements, particularly SOC reports and IT audits, this trust is evaluated through the AICPA Trust Services Criteria (TSC), often referred to as the Trust Principles. These principles form the foundation for assessing whether systems are designed and operating effectively. Here’s a breakdown of the five core trust principles and their practical relevance: 🔐 1. Security (Mandatory for SOC 2) Ensures systems are protected against unauthorized access, both logical and physical. This includes: - User provisioning and deprovisioning - Privileged access management - Authentication (SSO, MFA) - Logging, monitoring, and incident response - Change management This is where IT General Controls (ITGCs) play a critical role. ⏱️ 2. Availability Focuses on whether systems are available as committed or agreed. Key considerations include: - System uptime and performance monitoring - Backup procedures - Disaster Recovery (DR) and Business Continuity Planning (BCP) - Capacity management 🧮 3. Processing Integrity Ensures system processing is complete, accurate, timely, and authorized. Auditors typically evaluate: - Input, processing, and output controls - Error handling and reconciliations - Change controls impacting business logic 🔒 4. Confidentiality Protects information designated as confidential. Common audit areas include: - Data classification - Encryption (at rest and in transit) - Restricted access to sensitive data - Secure data disposal 👤 5. Privacy Addresses how personal information is collected, used, retained, and disposed of in line with privacy commitments. Includes: - Privacy notices and consent - Data retention and deletion - Regulatory compliance (for example GDPR, CCPA) 💡 Why this matters For organizations, these principles are not just compliance requirements. They are signals of reliability and credibility to customers, regulators, and stakeholders. For auditors and risk professionals, they provide a structured lens to assess whether technology truly supports business objectives while managing risk. As systems grow more complex and interconnected, trust is built through controls, evidence, and transparency, not assumptions. Would love to hear how others are seeing these principles applied in real-world audits and SOC engagements. Kalesha & co #Audit#ITGC#SOCReports#TrustServicesCriteria#RiskManagement#CyberSecurity#Assurance#InternalControls

Auditing is proposed in laws, regulations, and industry guidelines to mitigate AI risks, but there's a lack of established norms and standardized practices for compliance and assurance audits. Despite varied approaches like adversarial pressure testing and quantitative assessments, consensus on norms and practices is still evolving. The term 'audit' is used broadly to encompass diverse evaluations of algorithmic tools, including pressure-testing by external entities, internal pre-deployment assessments, collaborative audits, and external audits ensuring compliance with legislative or standardized framework requirements. External audits differ from risk or impact assessments in two main aspects. Firstly, algorithmic impact or risk assessments primarily focus on internal evaluations. Secondly, external audits require a conclusive outcome for stakeholders to act upon, while risk or impact assessments usually provide open-ended outputs, such as prioritized lists of risks or impacts. This paper below specifically focuses on 'external audits,' also known as 'compliance audits,' which aim to ensure adherence to specified requirements. This paper introduces the 'criterion audit' as a practical way to do external audits, inspired by how financial audits work. It is defined as: "A criteria-based independent external evaluation E of an algorithmic system S conducted by an auditor A to determine whether the given system S meets the requirements set by a normative framework." The criterion audit is characterized by 4 key features: 1. Standardized Criteria: Transparent evaluation against publicly accessible criteria. 2. Normative Framework: Measuring compliance against a specific normative framework. 3. Auditor Training: Standardized training and accreditation for auditors. 4. Public Disclosure: Results disclosed, ensuring transparency while addressing security concerns. The standard process for a criterion audit includes target scoping, documentation submission, evidence verification, publication of the audit report, and certification of the audited algorithmic system based on the evaluation against normative framework requirements. The paper demonstrates the application of the proposed approach to comply with NYC Local Law 144. The paper stresses that auditors for the criterion audit, like financial auditors, need professional values, subject matter expertise, and rigorous audit processes. It advocates for standardized audit training and suggests combining this with responsible AI education for a comprehensive understanding of complex considerations in algorithm audits. Title: "A Framework for Assurance Audits of Algorithmic Systems": Authors: BABL AI research team, led by Khoa Lam, Dr. Benjamin Lange, and Borhane Blili-Hamelin, PhD. Contributions from Shea Brown, Jovana Davidovic, and Ali Hasan.

ISO 45001:2018 Checklist – Are You Ready for the Audit? Getting ready for a certification or surveillance audit for ISO 45001? Here’s a concise checklist to help you assess the essentials: 1. Organizational Context Analysis of interested parties Identification of internal/external issues 2. Leadership & Worker Participation H&S policy communicated Roles and responsibilities defined Worker consultation & participation in place 3. Planning Risk & opportunity assessment SMART H&S objectives Action plan implemented 4. Support H&S training and competence Internal and external communication Documented information available 5. Operation Effective operational control Management of change Emergency preparedness and response 6. Performance Evaluation Monitoring and measurement of H&S performance Internal audits conducted Management review held 7. Improvement Nonconformity handling Corrective actions tracked Continuous improvement demonstrated #ISO45001 #OHSMS #QHSE #InternalAudit #WorkplaceSafety #HSE #ManagementSystem

✳ Building an Effective Internal Audit Program with ISO42001✳ Your internal audits serve as an essential tool to ensure AI processes meet both ISO42001 requirements and your organizational goals. When establishing your audit program, you'll need to consider audit scope—which should reflect your organizational context, the complexity of your AI systems and the risks they pose, particularly those systems with high-stakes outcomes such as in healthcare or legal settings. ✴ Timing is important. Your internal audits should be scheduled at planned intervals, typically annually, or whenever significant changes occur in your AI systems or governance structure. An audit schedule that reflects critical periods of AI development and implementation is key to uncovering potential risks early. ➡ For those of you pursuing AIMS certification, give yourself at least a quarter to address non conformities discovered during your internal audit before undergoing your certification examination. ✴ Leadership is another critical consideration. An audit program should be led by someone with organizational independence and a deep understanding of both your organization's AI systems and ISO42001 requirements. This person may be part of your compliance team or a dedicated AI governance leader who has the authority to report findings directly to senior management, as required by Clause 9.3. ➡ The lead auditor should also ensure that all stakeholders involved in AI processes are engaged throughout the audit. ✴When conducting the audit, ensure that evidence collection focuses on how well AI systems align with governance standards. This includes reviewing documentation, assessing data management, and evaluating controls for bias, fairness, and accountability. Findings should then be documented clearly and reported to top management, who will need to ensure that corrective actions are taken, as specified in Clause 10.2. ✴Your internal audits, when structured properly, both verify compliance AND drive continuous improvement in your AI governance program. No one and no system is perfect, so identifying and correcting areas of weakness allows your team to implement changes that improve the overall management and control of AI risks. ⚠ Note: Integrating your ISO42001 AIMS internal audit with internal audit for existing Management System frameworks like your ISO27001 ISMS, allows you to create a cohesive and efficient governance system that addresses security, privacy, and responsible AI development/use in a single motion. For help getting started, please reach out! A-LIGN Tom McNamara Walter Haydock Christian Hyatt Jacob Nix Shea Brown #iso42001 #TheBusinessofCompliance #ComplianceAlignedtoYou

Want a SOC 2? Not sure about the “Trust Services Criteria”? Check out this breakdown of the 5 TSCs and how they might apply to your business: 1. SECURITY Mandatory for all SOC 2 audits. It is focused on ensuring the organization can prevent or detect: - theft - system failure - incorrect processing - unauthorized removal of information or system resources as well as the misuse of applications such as unauthorized alteration, destruction, or disclosure of information that could compromise the confidentiality, availability, integrity, and privacy of information or systems that affect the entity’s ability to achieve its objectives. 2. AVAILABILITY Addresses whether information and systems are available for operation and use to meet the entity’s objectives. It typically applies to organizations that provide: - data centers - hosting services - Software as a Service (SaaS) Consider including the availability Trust Services Criterion in your SOC 2 if your customers have stringent requirements regarding downtime, especially if they have binding SLAs (Service Level Agreements) with you. 3. PROCESSING INTEGRITY This focuses on data accuracy and the completeness of the end-to-end processes to ensure that applications function without: - error - delay - omission - accidental data manipulation. The processing integrity criterion requires you to describe precisely how data is processed within a system. It can add substantial value to your SOC 2 report, giving the auditors, potential customers, and partners a good idea of how your system works. Consider including the processing integrity criterion in your SOC 2 report if your organization performs or manages transactions regularly. 4. CONFIDENTIALITY The confidentiality trust criterion evaluates how organizations protect confidential information – by limiting access, storage, and use. Consider including confidentiality criteria in your SOC 2 if your organization handles confidential data like Personally Identifiable Information (PII) or financial reports. 5. PRIVACY The privacy criterion assesses how, why, and when an organization shares sensitive information. It focuses on personal information like names, addresses, emails, and purchase histories. Frankly, this is rarely evaluated because companies look to other standards like ISO 27701 to prove their privacy framework’s worth. BOTTOM LINE While only security is mandatory, it might make sense to expand the scope of your audit based on your customer requirements.

How to Test SOC 1 and SOC 2 Reports: Testing SOC 1 and SOC 2 reports in IT audits is essential for verifying the design and operating effectiveness of controls related to a service organization. These reports are critical for evaluating the internal controls of service providers, ensuring compliance with industry standards, and providing assurance to user organizations. 1. Understanding the Service Organization’s System and Controls The first step is to obtain the SOC report and review its details, including the service organization’s system description and key controls. Identify which control objectives are relevant: financial reporting for SOC 1 and trust service criteria (security, availability, processing integrity, confidentiality, and privacy) for SOC 2. 2. Testing SOC 1 Report Focus: SOC 1 testing centers on controls that impact financial reporting. Testing Process: Design Effectiveness (Type I): Evaluate if the design of controls meets control objectives. This involves assessing whether documented controls would effectively mitigate risks related to financial reporting. Operating Effectiveness (Type II): Analyze the results of the service auditor’s tests over the defined period. Determine if controls were consistently applied and assess any exceptions noted. Test CUECs: Verify that user organizations have implemented necessary controls that complement those of the service provider. Evaluate Exceptions: Any deficiencies identified must be assessed for their impact on financial reporting, determining if additional substantive testing is required. 3. Testing SOC 2 Report Focus: SOC 2 testing involves non-financial controls related to data security and privacy. Testing Process: Design Effectiveness (Type I): Review controls against relevant Trust Service Criteria. Assess whether the described controls can mitigate risks associated with data security, availability, and privacy. Operating Effectiveness (Type II): Examine the service auditor’s test results, particularly for critical controls like security monitoring and incident response. Specific Controls to Test: Security: Test access controls, encryption protocols, and system monitoring tools. Availability: Evaluate system uptime and disaster recovery plans. Processing Integrity: Ensure procedures for data processing are accurate and timely. Confidentiality: Verify sensitive data protection through encryption and access controls. Privacy: Ensure compliance with regulations like GDPR. 4. Review and Test Complementary User Entity Controls (CUECs) Both SOC reports may rely on user organizations to implement CUECs. It's vital to ensure that these controls are in place and functioning effectively, especially for critical controls that could impact the audit outcomes. Testing Process: Confirm that the user entity has implemented necessary CUECs. Perform additional testing at the user entity level as needed, particularly for controls that significantly affect overall risk.