The COVID-19 pandemic has impacted a significant amount of organizations. As many have transitioned to remote environments, or scaled down their workforce through furloughs or employee reductions, we must be attentive to the changes in controls and operations.
Whether you are a service organization or an entity that relies on these businesses, you should carefully consider the effects of COVID-19 in the context of Service Organization Control (SOC) 1 and SOC 2 reports.
Service organizations must address the effects of COVID-19 based on the impact to operations and controls. It is also important to assess additional considerations for new risks resulting from the pandemic.
Service organizations should evaluate their operational and information technology (IT) environments and controls to determine whether any controls have been affected. You may want to ask yourself the following questions:
With a greater reliance on remote work environments, you must carefully evaluate any IT security risks. You should consider the following:
If the pandemic forced changes to your operations, you are responsible for properly identifying the objectives, risks and controls, and properly reflecting these changes within the system description.
Service organizations should review their risk assessment process to determine if COVID-19 changed the scope of the system and/or introduced new risks to the achievement of objectives or criteria. A thorough risk assessment will help your organization identify vulnerable areas and guide your decision making.
As a result of the risk assessment for SOC 2, specifically regarding security considerations, the service organization will need to assess whether an increase in remote workers raises new risks. For example, you may need to implement multi-factor authentication or additional security measures to mitigate risks that did not exist before COVID-19.
Regardless of whether your organization was impacted or not, COVID-19 is a risk that requires careful evaluation and consideration by all organizations.
It is widely understood that many organizations transitioned to remote work due to the ongoing pandemic, and it is likely to be the “norm” for some time. However, in the future, even as some workers return to the office, further restrictions may still exist for visitors (e.g., auditors, other third-party vendors). As such, these outside parties will likely conduct a majority of walkthroughs and testing remotely in 2020, thereby impacting some procedures traditionally performed on-site.
The most common procedures are the physical security walkthroughs of buildings and data centers that evaluate security measures and environmental protections. Although guidance may vary by firm, and more guidance is forthcoming, we expect an increase in video conferencing to perform virtual walkthroughs. Service organizations should begin to discuss the appropriate approach with their service auditors.
You can expect discussions with your auditors regarding the impacts of COVID-19 on your organization and the scope of your SOC report. For example, you and your auditor may seek to:
For those that use SOC reports, you need to review and understand what to look for in the report, including the period impacted by the pandemic.
As a user of SOC 1 and/or SOC 2 reports, it is important to have frequent communication with your critical or key vendors to discuss whether COVID-19 has significantly impacted their operations or the SOC report. As you review SOC reports with a period that includes the timing of the pandemic, here are a few items to keep in mind:
The COVID-19 crisis and the significant rise in cyberattacks make a SOC audit more important now than ever. Now is the time to evaluate your compliance with internal controls and any external regulations, and reassure your customers that their data is still in good, safe hands.
SOC reports can do the following for your organization:
1. Demonstrate your strength
A SOC exam can prove to your customers that you have maintained your internal controls. It reassures them that their data is safe with you, even in the midst of major global crisis. Not only does this demonstrate your strength, but it also helps to bolster your reputation and retain customers.
2. Avoid a gap in coverage
SOC exams are annual events that cover a specific control period. However, because of COVID-19, you may be tempted to shift the control period by several months. In turn, customers may question what controls were in place during that gap. Conducting a SOC audit that covers the pandemic period can help ease concerns and provide answers for your customers.
3. Comply with regulations
Regardless of the changes stemming from the COVID-19 health crisis, standards and regulations are still in place and you must comply. For example, if you work with healthcare organizations you still have to comply with HIPAA during the pandemic, and financial institutions must continue to comply with the Gramm-Leach-Bliley Act. The list goes on.
Maintaining compliance before, during and after COVID-19 is critical. By performing a SOC exam, you can demonstrate your continued attention to your controls to your customers, further putting their minds at ease.
4. Disclose new technology, procedures and controls
It is likely during COVID-19 that your organization implemented new technology and procedures. For instance, you may have implemented paperless technology to enable a remote workforce, or other technology around data encryption, remote access and data transfer.
Utilizing these technologies looks good to you customers as it shows a concerted effort to protect data and prevent breaches and other attacks. If you’re spending the time and money to institute these technologies, you may as well get credit by disclosing them in your SOC report.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.