The COVID-19 pandemic has impacted nearly all organizations. Many have transitioned their workforce to remote environments, or scaled down their workforce through furloughs or employee reductions. These impacts should be carefully considered in the context of System and Organization Controls (SOC) 1 and SOC 2 reports, for both the service organizations and user entities of the reports.
Impact on controls
Service organizations should evaluate their operational and information technology (IT) environments and controls to determine whether any controls have been affected. Consider the following:
With increases in remote work environments, IT security risks also need to be evaluated. Consider the following:
These are only a few of the COVID-19 impact considerations that need to be assessed. If changes in operations are required as a result of the pandemic, service organizations are responsible for properly identifying the objectives, risks and controls, in addition to properly reflecting these changes within the system description.
For more examples of key IT security considerations, review the IT audit checklist.
Impact on risk assessment
Service organizations should review their risk assessment process and determine if COVID-19 has resulted in changes to the scope of the system, introduced new risks to the achievement of objectives or criteria and ensure the organization has properly addressed the changes and new risks.
As a result of the risk assessment for SOC 2, specifically regarding security considerations, the service organization will need to assess whether new risks arise from increases in remote workers. Do remote workers practice good cyber hygiene? Should multi-factor authentication or additional security measures be put in place?
Whether organizations have been impacted or not, COVID-19 is a risk that should be addressed by all organizations.
Impact on on-site procedures or physical security controls
Many organizations continue to work remotely because of the pandemic, and will continue to do so for the foreseeable future. In the future, as the companies reestablish their workforces in office settings, further restrictions may still exist for visitors (e.g., auditors, other third-party vendors). As such, service organizations should expect that the majority of walkthroughs and testing will likely be conducted remotely in 2020, which may impact some procedures that were typically performed while on-site.
The most common procedures are the physical security walkthroughs of buildings and data centers that ensure security measures and environmental protections are in place. Although guidance may vary by firm, and more guidance is forthcoming, there will likely be an increase in video conferencing to perform virtual walkthroughs. Service organizations should begin to discuss the appropriate approach with their service auditors.
Impact on the SOC examination
Service organizations can expect to discuss the impacts COVID-19 on their business and the scope of the report with their auditors. Here are examples of how you can expect to interact with your service organization auditor.
As a user of SOC 1 and/or SOC 2 reports, it is important to have frequent communication with your critical or key vendors to discuss whether COVID-19 has significantly impacted their operations or the SOC report. Remember the following as you review SOC reports with a period that includes the timing of the pandemic:
For more information on this topic, or to learn how Baker Tilly SOC specialists can help, contact our team.