Auditor Review Summary
At VISO TRUST, our approach to evidence review is designed to balance efficiency, accuracy, and risk-based rigor. The following outlines how we handle artifacts during AI + Auditor assisted validations, or manual reviews to ensure our customers have a clear understanding of the validation.
Our process is scalable, risk-based, and focused on meaningful assurance — prioritizing material risk and high-value evidence rather than performing an exhaustive audit, while maintaining transparency for customers.
- Prioritization of Evidence
- Prioritize high‑assurance artifacts such as SOC 2, ISO certificates, HITRUST artifacts, third-party pen tests. Follow the assurance hierarchy.
- Verify key details: ownership, validity periods, and expiration dates.
- Supersession of Artifacts
- When a valid artifact is available, it supersedes any older artifacts of the same type that are out of validity.
- Focused review of high assurance artifacts
Certain cases require manual review for more reliable results, including:
- ISO Cert reviews, HITRUST validity dates, third-party penetration tests, PCI DSS, password-protected/confidential artifacts.
- For SOC 2 reviews, auditors review include qualified opinions, exceptions, subservice organizations, CUECs.
- For Penetration Tests and similar reports, auditors review include open critical/high issues, capture counts and remediation status, and record them as exceptions in the assessment.
- Classification
- High‑assurance artifacts are correctly classified (e.g., SOC reports, ISO certificates, third‑party pen tests, etc.) when those classifications affect risk scoring or expiration.
- AI-Assisted Validation
- While AI significantly improves coverage, it does not guarantee detection of every possible control in every artifact. Auditors supplement AI detections by searching for relevant missing controls where material to the assessment.
- If relevant gaps remain after AI + Auditor assessment, you may send a follow-up questionnaire to the vendor (in case of interactive assessment) to confirm the accurate control posture.
- Structured risk analysis checks
Auditors review the risk analysis to handle:
- “Not present” controls (confirm with vendor/qualified opinion or remove irrelevant detections).
- “Not applicable” controls (retain only when justified; otherwise remove).
- Verify shared responsibility, subservice, and CUECs for accuracy.
- Continuous AI Evaluation & Improvement
- Periodically perform deeper evaluations on selected assessments/artifacts (e.g., detailed review of detections in certain reports) to identify gaps and feed improvements back into the AI models and procedures.
- Risk-based review scope & materiality principles
The combination of AI and Auditor review is designed to achieve high coverage on controls material to the assessment, but it is not a line‑by‑line manual audit of all content in every document. The review process is risk-based, not exhaustive:
- Only lower‑assurance or public artifacts that add meaningful value are reviewed, typically when high‑assurance evidence does not fully cover certain controls.
- Not every lower‑assurance or public artifact is manually reviewed. Low‑assurance and public artifacts are only reviewed when they add meaningful, incremental value (e.g., when high‑assurance evidence is missing for specific controls).
- All automated detections are not individually re-validated unless they relate to high-assurance artifacts, material risk areas, or identified inconsistencies.
- Classifications are updated only when they materially affect risk or interpretation, but every single artifact is not re-classified.
- AI-Generated Summaries
- AI-generated summary and Details tab are informational. Auditors rely on the underlying evidence and defined checks rather than validating every AI-generated statement.
- Public or supplemental research may be used when relevant, but the Details tab is informational and not intended to represent an exhaustive external investigation.
* Specific additional contracted services, e.g,. Managed services or concierge may vary.
