SOC reporting in a COVID-19 environment

The COVID-19 pandemic has impacted a significant amount of organizations. As many have transitioned to remote environments, or scaled down their workforce through furloughs or employee reductions, we must be attentive to the changes in controls and operations.

Whether you are a service organization or an entity that relies on these businesses, you should carefully consider the effects of COVID-19 in the context of Service Organization Control (SOC) 1 and SOC 2 reports.

Service organization considerations

Service organizations must address the effects of COVID-19 based on the impact to operations and controls. It is also important to assess additional considerations for new risks resulting from the pandemic.

Impact on controls

Service organizations should evaluate their operational and information technology (IT) environments and controls to determine whether any controls have been affected. You may want to ask yourself the following questions:

• Has your organization furloughed or reduced your workforce? If so, you should assess whether the reduction impacted the execution of controls.
• Have you clearly communicated the transition of control responsibilities? If not, management should review controls and properly communicate roles and responsibilities for control execution.
• Did furloughs or other workforce reductions impact the segregation of duties? If so, assessment and consideration should be given to mitigate the risk through additional monitoring.
• Have some controls required employees to be on-site with access to call centers, mailrooms or other resources? If so, you should assess whether requirements for remote working have impacted those areas, or if changes have occurred to those controls.
• Has the operation of controls been delayed due to the impacts of the pandemic? If so, you should consider timeliness objectives and whether additional resources or changes need to occur to assist with the execution of controls.

With a greater reliance on remote work environments, you must carefully evaluate any IT security risks. You should consider the following:

• Evaluate if all remote workers with access to regulated data received appropriate training on handling that data in a remote work environment.
• Validate new user provisioning/removal still operates with appropriate validation of users who are remote.
• Ensure you have communicated additional guidance on remote work cybersecurity practices to remote workers.
• Validate security of any applications or systems that were recently web-enabled for remote work.
• Verify that all critical systems require multi-factor authentication (MFA) by remote workers.

If the pandemic forced changes to your operations, you are responsible for properly identifying the objectives, risks and controls, and properly reflecting these changes within the system description.

Impact on risk assessment

Service organizations should review their risk assessment process to determine if COVID-19 changed the scope of the system and/or introduced new risks to the achievement of objectives or criteria. A thorough risk assessment will help your organization identify vulnerable areas and guide your decision making.

• For SOC 1, the overall risk assessment should include COVID-19 considerations, and determine whether any objectives, risks and/or controls have been impacted.
• For SOC 2, you should give additional considerations to the in-scope criteria and impacts of COVID-19 on security, availability, processing integrity, confidentiality and/or privacy.

As a result of the risk assessment for SOC 2, specifically regarding security considerations, the service organization will need to assess whether an increase in remote workers raises new risks. For example, you may need to implement multi-factor authentication or additional security measures to mitigate risks that did not exist before COVID-19.

Regardless of whether your organization was impacted or not, COVID-19 is a risk that requires careful evaluation and consideration by all organizations.

Impact on on-site procedures or physical security controls

It is widely understood that many organizations transitioned to remote work due to the ongoing pandemic, and it is likely to be the “norm” for some time. However, in the future, even as some workers return to the office, further restrictions may still exist for visitors (e.g., auditors, other third-party vendors). As such, these outside parties will likely conduct a majority of walkthroughs and testing remotely in 2020, thereby impacting some procedures traditionally performed on-site.

The most common procedures are the physical security walkthroughs of buildings and data centers that evaluate security measures and environmental protections. Although guidance may vary by firm, and more guidance is forthcoming, we expect an increase in video conferencing to perform virtual walkthroughs. Service organizations should begin to discuss the appropriate approach with their service auditors.

Impact on the SOC examination

You can expect discussions with your auditors regarding the impacts of COVID-19 on your organization and the scope of your SOC report. For example, you and your auditor may seek to:

• Discuss the impacts to the objectives or criteria, risks and controls in-scope.
• Review the service organization’s risk assessment to determine how the organization has identified COVID-19 as a risk and evaluated the impact.
• Increase the focus on sample testing during the pandemic period – as an auditor may perceive a higher level of risk of the controls not performing due to impact of the pandemic.
• Review the system description for proper disclosure of any changes to the scope, operations or controls during the coronavirus period.

User entities

For those that use SOC reports, you need to review and understand what to look for in the report, including the period impacted by the pandemic.

As a user of SOC 1 and/or SOC 2 reports, it is important to have frequent communication with your critical or key vendors to discuss whether COVID-19 has significantly impacted their operations or the SOC report. As you review SOC reports with a period that includes the timing of the pandemic, here are a few items to keep in mind:

• Review the SOC report for disclosures on any changes to the system, operations or controls as a result of COVID-19. Assess whether any changes impact you and your reliance on the SOC report.
• Review the SOC report for exceptions and expect that some organizations may have increased exceptions due to the pandemic.
• Review the complementary user entity considerations and assess whether any additional considerations were added due to changes in the system description or controls.

Why is a SOC report more important in a COVID-19 environment?

The COVID-19 crisis and the significant rise in cyberattacks make a SOC audit more important now than ever. Now is the time to evaluate your compliance with internal controls and any external regulations, and reassure your customers that their data is still in good, safe hands.

SOC reports can do the following for your organization:

1. Demonstrate your strength

A SOC exam can prove to your customers that you have maintained your internal controls. It reassures them that their data is safe with you, even in the midst of major global crisis. Not only does this demonstrate your strength, but it also helps to bolster your reputation and retain customers.

2. Avoid a gap in coverage

SOC exams are annual events that cover a specific control period. However, because of COVID-19, you may be tempted to shift the control period by several months. In turn, customers may question what controls were in place during that gap. Conducting a SOC audit that covers the pandemic period can help ease concerns and provide answers for your customers.

3. Comply with regulations

Regardless of the changes stemming from the COVID-19 health crisis, standards and regulations are still in place and you must comply. For example, if you work with healthcare organizations you still have to comply with HIPAA during the pandemic, and financial institutions must continue to comply with the Gramm-Leach-Bliley Act. The list goes on.

Maintaining compliance before, during and after COVID-19 is critical. By performing a SOC exam, you can demonstrate your continued attention to your controls to your customers, further putting their minds at ease.

4. Disclose new technology, procedures and controls

It is likely during COVID-19 that your organization implemented new technology and procedures. For instance, you may have implemented paperless technology to enable a remote workforce, or other technology around data encryption, remote access and data transfer.

Utilizing these technologies looks good to you customers as it shows a concerted effort to protect data and prevent breaches and other attacks. If you’re spending the time and money to institute these technologies, you may as well get credit by disclosing them in your SOC report.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.