Professional works remotely on his computer and phone

The COVID-19 pandemic has impacted nearly all organizations. Many have transitioned their workforce to remote environments, or scaled down their workforce through furloughs or employee reductions. These impacts should be carefully considered in the context of System and Organization Controls (SOC) 1 and SOC 2 reports, for both the service organizations and user entities of the reports.

  • For service organizations, the impacts of COVID-19 need to be addressed based on the impact to the operations and controls. Additional considerations for new risks resulting from the pandemic need to be assessed.
  • For users entities, review and understand what to look for in a SOC report including the period impacted by the pandemic. 

Service organization considerations

Impact on controls

Service organizations should evaluate their operational and information technology (IT) environments and controls to determine whether any controls have been affected. Consider the following:

  • Has your organization furloughed or reduced you workforce?  If so, you should assess whether the reduction impacted the execution of controls. 
  • Has transition of control responsibilities been clearly communicated?  If not, management should review controls and properly communicate roles and responsibilities for control execution.
  • Has segregation of duties been impacted by furloughs or a reduction in workforce?  If so, assessment and consideration should be given to mitigate the risk through additional monitoring.
  • Have some controls required employees to be on-site with access to call centers, mail rooms or other resources?  If so, you should assess whether the requirements for remote working have impacted those areas, or if changes have occurred to those controls. 
  • Has the operation of controls been delayed due to impacts of the pandemic? If so, consideration should be given to timeliness objectives and whether additional resources or changes need to occur to assist with the execution of controls.

With increases in remote work environments, IT security risks also need to be evaluated. Consider the following:

  • Evaluate if all remote workers with access to regulated data received appropriate training on handling that data in a remote work environment.
  • Validate new user provisioning/removal still operates with appropriate validation of users who are remote.
  • Validate that additional guidance on remote work cybersecurity practices has been communicated to remote workers.
  • Validate security of any applications or systems that were recently web-enabled for remote work.
  • Validate the use of multi-factor authentication (MFA) by remote workers is required for all key/critical systems.

These are only a few of the COVID-19 impact considerations that need to be assessed. If changes in operations are required as a result of the pandemic, service organizations are responsible for properly identifying the objectives, risks and controls, in addition to properly reflecting these changes within the system description. 

For more examples of key IT security considerations, review the IT audit checklist.

Impact on risk assessment

Service organizations should review their risk assessment process and determine if COVID-19 has resulted in changes to the scope of the system, introduced new risks to the achievement of objectives or criteria and ensure the organization has properly addressed the changes and new risks.

  • For SOC 1, the overall risk assessment should include COVID-19 considerations, and determine whether any objectives, risks and/or controls have been impacted.
  • For SOC 2, these additional considerations should be given to the in-scope criteria and impacts of COVID-19 on security, availability, processing integrity, confidentiality and/or privacy. 

As a result of the risk assessment for SOC 2, specifically regarding security considerations, the service organization will need to assess whether new risks arise from increases in remote workers. Do remote workers practice good cyber hygiene? Should multi-factor authentication or additional security measures be put in place?    

Whether organizations have been impacted or not, COVID-19 is a risk that should be addressed by all organizations.

Impact on on-site procedures or physical security controls

Many organizations continue to work remotely because of the pandemic, and will continue to do so for the foreseeable future. In the future, as the companies reestablish their workforces in office settings, further restrictions may still exist for visitors (e.g., auditors, other third-party vendors). As such, service organizations should expect that the majority of walkthroughs and testing will likely be conducted remotely in 2020, which may impact some procedures that were typically performed while on-site.  

The most common procedures are the physical security walkthroughs of buildings and data centers that ensure security measures and environmental protections are in place. Although guidance may vary by firm, and more guidance is forthcoming, there will likely be an increase in video conferencing to perform virtual walkthroughs. Service organizations should begin to discuss the appropriate approach with their service auditors.

Impact on the SOC examination

Service organizations can expect to discuss the impacts COVID-19 on their business and the scope of the report with their auditors. Here are examples of how you can expect to interact with your service organization auditor.

  • Discuss the impacts to the objectives or criteria, risks and controls in-scope.
  • Review the service organization’s risk assessment to determine how the organization has identified COVID-19 as a risk and evaluated the impact. 
  • An increased focus on sample testing during the period of the pandemic – as an auditor may perceive a higher level of risk of the controls not performing due to impact of the pandemic.
  • Review the system description for proper disclosure of any changes during the period to the scope, operations or controls.

For users entities

As a user of SOC 1 and/or SOC 2 reports, it is important to have frequent communication with your critical or key vendors to discuss whether COVID-19 has significantly impacted their operations or the SOC report. Remember the following as you review SOC reports with a period that includes the timing of the pandemic:

  • Review the SOC report for disclosures on any changes to the system, operations or controls as a result of COVID-19. Assess whether any changes impact you and your reliance on the SOC report.
  • Review the SOC report for exceptions as you normally would, and expect that some organizations may have increases in exceptions due to the pandemic. Evaluate the exceptions and impacts as you normally would.
  • Review the complementary user entity considerations and assess whether any additional considerations were added due to any changes in the system description or controls.

For more information on this topic, or to learn how Baker Tilly SOC specialists can help, contact our team.

Mark J. Boettcher
Partner, CPA, CISA, CBCP
Next up

CMS issues survey memorandum related to infection control and enforcement actions