On Time Audit

Helping you navigate the audit and compliance maze

Attestation and Assurance

On Time Audit specializes in providing information technology, operational, and compliance audits. Our audit approach is risk-based, focused, and tailored to our clients’ needs. We have expertise in performing audits for all sizes of organizations and also understand the unique challenges smaller organizations face.

Because we have 20 years’ experience in providing audits for clients in multiple industries, On Time Audit has the knowledge to provide relevant viable recommendations and can even help you with your implementation and remediation efforts.

We also understand and apply audit best practices, guiding frameworks, and standards such as those promulgated by The Committee of Sponsoring Organizations (COSO), Control Objectives for Information Technology (CobiT), The Institute of Internal Auditors (IIA), The Federal Financial Institutions Examination Council (FFIEC), the National Institute of Standards and Technology (NIST), and the International Organization for Standardization (ISO) to name a few.

A general overview of the scope of services performed for each type of audit is provided below.

General Controls – Multiple frameworks and guidance exist on the definition of IT general controls. These typically include those that govern the following processes:

  • IT Hardware and Software Acquisition
  • Systems Development and Implementation
  • Physical Security
  • IT Changes
  • Logical Security (Applications, Infrastructure)
  • User Access and Administration
  • Backup and Recovery
  • Disaster Recovery Planning

Operational Controls – Business operations and key controls and processes drive operational audit scope. These typically include manufacturing and distribution processes as well as departmental functions such as the front and back office that support the organization.

Compliance – Compliance with internal and external regulations, laws, and processes drive compliance audit scope. These typically include:

  • Internal processes related to policies, procedures, and programs that require monitoring and enforcement
  • External regulations such as Sarbanes Oxley, OCC, FFIEC

SSAE16 SOC 1, 2, and 3 Engagements

Organizations that provide outsourced processing services are referred to as third-party service providers. These organizations often process and/or store data that can be sensitive in nature and require increased controls. Third-party service providers usually have a SOC 1, 2, or 3 type engagement performed on the controls over the system used to provide and process services. Organizations that use the outsourcing model can gain tremendous benefits, however they cannot completely leverage risk to the third-party service provider.

The following information describes the differences between a SOC 1, 2, and 3 engagement.

  • SOC 1- Reports on the controls at a service organization relevant to user entities’ internal control over financial reporting. In this type of engagement, the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system (Type I) and the operating effectiveness of the service organization’s controls relevant to user entities internal control over financial reporting (Type II) for a period of time. Financial, operational, and IT controls may be assessed. The scope and depth of the IT controls assessed differ from a SOC 2 or SOC 3 type engagement, but are still evaluated. The report is restricted to the management of the service organization, user entities during some or all of the period covered by the report (for Type II reports), and user entities as of a specified date (for Type I reports), and auditors of the user entities’ financial statements.

  • SOC 2 – Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. The scope and depth of IT controls assessed differ than a SOC 1 engagement in that they are more focused on the protection of customer information. The report is restricted to management of the service organization and other specified parties who have sufficient knowledge and understanding of the organization.

  • SOC 3 - Same as a SOC 2 but typically only one of the elements of security, availability, processing integrity, confidentiality, or privacy is assessed and an opinion is not provided on the description. The report has no restrictions and is available to anyone.


An organization’s strategy is the road map to achieving growth and increasing stakeholder value. With growth comes change in the design, implementation, and improvement of processes that pose risk. On Time Audit years’ of practical experience in working for best practice organizations has provided the knowledge base for focused assessment and advisory services. We offer assessments in:

  • Fraud Management
  • Information Security - NIST, Cyber Security Framework
  • New Systems Implementation- Application Controls Configuration
  • Software Selection and Implementation
  • Vendor Management
  • Organizational Design and Policy/Procedure Development
  • Disaster Recovery/Business Continuity Planning
  • IT Operations Due Diligence
  • IT Asset Management
  • BSA/AML Compliance

Need more information ?