Engagement Context and Scope

The engagement covered the evaluation of Figures HR’s information security management system and relevant controls aligned with ISO/IEC 27001:2022 and the Trust Services Criteria for SOC 2 Type I (security, availability, and confidentiality).

System boundaries, in-scope processes, and applicable control areas were confirmed with management. The assessment focused on evaluating the control design and implementation at a defined point in time for SOC 2 Type 1, and conformity of the ISMS against ISO/IEC 27001:2022 requirements.

Audit Approach and Methodology

CertPro conducted the engagement using a structured audit methodology aligned with ISO standards and AICPA attestation requirements. The approach was evidence-based and followed established audit procedures, including documentation review, inquiry, and control validation.

Scope Confirmation and Planning: The engagement commenced with confirmation of system scope, boundaries, and applicable criteria. In-scope systems, processes, and personnel were identified and documented for audit evaluation.

Documentation and Control Review: Policies, procedures, and control documentation were reviewed to assess alignment with ISO/IEC 27001:2022 clauses and SOC 2 Trust Services Criteria. This included evaluation of information security policies, access control procedures, incident response processes, and data handling practices.

Control Testing and Validation: Controls were evaluated for design and implementation through inspection of evidence and inquiry with control owners. Testing procedures included validation of access controls, review of system configurations, examination of monitoring mechanisms, and assessment of incident response activities.

Risk and Control Alignment: Risk assessment outputs maintained by management were reviewed to determine alignment between identified risks and implemented controls. The audit focused on whether controls addressed relevant risks within the defined scope.

Audit Evidence and Traceability: Evidence was obtained from system records, documentation repositories, and process walkthroughs. All conclusions were based on verifiable evidence, with traceability maintained between control requirements and supporting documentation.

ISO/IEC 27001:2022 Audit Procedures

The ISO/IEC 27001:2022 audit evaluated the design and implementation of the Information Security Management System (ISMS).
Audit procedures included:

• Review of ISMS scope, policies, and supporting documentation
• Assessment of risk assessment and risk treatment processes
• Evaluation of Annex A controls, including access control, cryptography, and incident management
• Verification of control implementation through documented evidence and system records

Based on the procedures performed, conformity with ISO/IEC 27001:2022 requirements was assessed by the certification body.

SOC 2 Type 1 Examination Procedures

The SOC 2 Type 1 examination evaluated the design of controls relevant to the Trust Services Criteria for security, availability, and confidentiality at a specified point in time.

Procedures included:

• Review of system description, policies, and control activities
• Evaluation of logical and physical access controls
• Assessment of monitoring, logging, and incident response processes
• Validation of controls related to data confidentiality and system availability

The examination was conducted in accordance with AICPA attestation standards, and conclusions were based on the design of controls within the defined scope.

Audit Results and Reporting

ISO/IEC 27001:2022 Certification: Following completion of the external audit by an IAF-accredited certification body, Figures HR obtained ISO/IEC 27001:2022 certification. The certification reflects conformity of the ISMS with the standard based on the audit performed.

SOC 2 Type 1 Report: A SOC 2 Type 1 report was issued, providing an independent opinion on the design of controls relevant to the applicable Trust Services Criteria at a specified date. The report includes the system description, control objectives, and results of procedures performed.

Conclusion

The engagement demonstrates the application of a structured audit methodology to evaluate control design and system conformity against recognized standards. All audit conclusions were based on documented evidence obtained during the engagement. CertPro performed the audit and attestation procedures as a licensed CPA firm, with no involvement in control design, implementation, or remediation activities.