There are many different types of testing that are imporrt for completing audit procedures. Specifically for SOC 1 and SOC 2 engagements, our test procedures for each control in the report will include inquiry, inspection or examinationobservation, reperformance, or a computer-assisted audit technique CAAT.

Some controls that we test will include more than one of these methods of testing. Within these five methods of testing, there are various ways to go about the completion of the test. In this post, we explain what the concept of downstream and upstream testing is in the context of an easier and Boat Upstream And Downstream Questions On more straight forward audit area to test � Boat Travelling Upstream And Downstream Java Physical Access. One audit objective for physical access testing that is easy to understand is confirming that the right people have the right access.

This sounds very basic, but confirming this is a little more involved. Below we will walk through testing the appropriateness of physical access using downstream testing and upstream testing, which is looking at access from both directions; who has access right now and is it appropriate, who used their physical access during the upstream and downstream questions linear equations import, and was that use of access appropriate?

For physical access testing, the first step involves obtaining a list of active key card downsrream badge holders and selecting a sample. The testing will then determine, with the assistance of the client and review of provided documentation, whether the active key card holders were:. This method of upstream and downstream questions linear equations import seems easy, right?

Yes, this downstream audit procedure is the easier part of the test. The upstream audit procedure requires that the activity log for the period being reviewed is obtained from the key card system that includes all key card or badge activity for all holders.

Even the activity for those holders that no longer have an active key card or badge needs to be included for the purposes of this testing. An unmatched query should be run against the list of active key card or badge holders to determine which activity log entries do not match to a current key card or badge holder.

Again, a representative sample of these questiobs should be made and then the auditor will upstream and downstream questions linear equations import with the client to figure out if that access was appropriate at the time it occurred. The activity could be for a previous employee not on the current key card or badge holder list, or equatiions could be a number of other explanations.

There are many other aspects to physical access testing not covered in this blog post, such as termination testing e. Suffice it to say that audit testing is multi-faceted and more complex than the simply stated objective of the right people having the right access.

Not every control tested requires downstream and upstream testing. Some controls can be tested using inspection or examination and reasonable assurance can be reached easily through that method and no further testing is required. As controls are being downsttream and testing methods are being determined, it is important to consider if the control can be and should be tested using downstream and upstream testing.

Just like the physical access example above, this method can also be applied when looking at logical access. Nicole Hemmer started her career in She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves upsteam with her clients upstream and downstream questions linear equations import help them through examinations for the first time and then working together closely after that to have successful audits.

