The World Has Changed Due to COVID-19—Has Your SOC Report?

The COVID-19 pandemic uprooted our definition of normal, leaving us to cope with a new normal that seems to be redefined daily. During these trying times, it’s important that management identifies, analyzes, and mitigates evolving risks.

In a rapidly changing environment, service organizations are required to quickly mobilize and consider how major disruptions are affecting their operations, customers, vendors, and suppliers. This is especially true when customers are counting on services to keep their business going.

System and Organization Control (SOC) for Service Organizations reports are designed to help organizations build trust and confidence in the service performed for other entities and controls related to the services. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs. There are three reports prepared by an independent CPA firm—SOC 1, SOC 2, and SOC 3—as well as SOC for Cybersecurity, and SOC for Supply Chain.

Through timely and proactive action, management can work with its SOC examiner so the new normal doesn’t erode the trust and hard work of protecting the security, availability, confidentiality, processing integrity, and privacy of customer’s data.

Business Impacts                                                 

Organizations have been affected by COVID-19 disruption in multiple ways—ranging from limited to significant. Identifying core processes and critical business objectives allows a service organization to pivot and adapt resources where required.

While not an exclusive list, following are nine major consequences of the pandemic that directly impact internal controls and planned or ongoing SOC examinations as well as next steps for management.

1.    Business and Market Disruptions

Given the widespread disruption caused by the pandemic, changes or disruptions in the business cycle can materially alter the enterprise risk profile.

Management Next Steps
  • Review impact to business, system, controls and other reporting factors
  • Revisit your enterprise risk assessment and conduct a COVID-19-focused supplementary risk assessment when appropriate to help ensure appropriate internal controls coverage for the threats associated with the pandemic.
  • Update your understanding of system description, risks, and controls

2.    ­­­­Remote Workforce

Implementing a work-from-home strategy can impact management’s internal controls—from execution controls and VPN access to assessing the infrastructure changes required to support a large remote workforce.

Management Next Steps
  • Understand and discuss the impact of a remote workforce with the examiner

3.    Reduced Hours, Furlough, Turnover

Changes to personnel, including a reduced staffing model, can impact the design and effectiveness of management’s internal controls in various ways.

Key personnel and process owners may not be available to perform activities essential to the functioning of internal controls, which could trigger changes to the frequency and precision of controls.

Management Next Steps
  • Consider if your controls may need to be replaced with new controls or software

4.    Social Distancing and Travel Restrictions

Travel restrictions can curtail activities that were once part of routine business operation and governance. From crucial management and board meetings to on-site procedures performed by the SOC examiner, social distancing and travel restrictions can impact both internal controls and the examiner’s ability to assess their design and effectiveness.

Management Next Steps
  • Communicate with your examiner—focusing on timely communication under these conditions is key
  • Identify alternate procedures for on-site visits or other physical observations

5.    Control Change, Pause, or Loss

There can be changes in evidence that support the performance of a control or controls that may need to be paused, such as on-site assessments for critical vendors. This could be an important discussion items with your examiner.

Management Next Steps
  • Identify which controls will and those that won’t continue to function as designed.

6.    Automated and Manual Controls

Management can consider automating internal controls for one of two reasons: 1) to compensate for reduced workforce levels and remote employees and 2) to increase efficiency.

Management Next Steps
  • Approach the slowdown in business activity as an opportunity to make refinements and improvements to business processes and internal controls.
  • Discuss with the examiner any changes to controls during an examination period

7.    Modified Segregation of Duties and Responsibilities

With a potential reduction in workforce, management must stay cognizant of changes to business processes that negate controls designed to ensure segregation of duties within responsibilities and privileges.

This includes ensuring appropriate coverage for user access appropriateness reviews as well as ensuring developers aren’t charged with migrating code to production environments.

Management Next Steps
  • Review current and revised practices so segregated duties aren’t adversely affected because of operating control changes

8.    Monitoring Activities

With an increasing reliance on collaboration tools and technologies for remote workers, there has been a marked increase in phishing attempts and ransomware attacks. In addition, changes in regular operations may mean that standard monitoring controls are no longer taking place.

Management Next Steps
  • Maintain a vigilant eye through the use of robust monitoring controls to counteract these threats
  • Evaluate if you still have the ability to obtain sufficient audit evidence
  • Perform a check that all monitoring functions remain in effect and monitoring results continue to be documented for eventual use as audit evidence

9.    Subservice Organizations and Vendors

Stemming from the disruption caused by COVID-19, vendors and subservice providers may have made changes to their compliance programs, internal controls, and complementary user entity controls.

Management Next Steps
  • Ask critical vendors and subservice providers about the steps they’re taking to mitigate the risk posed by the pandemic
  • Preempt any changes to complementary user entity controls, also known as CUECs, or internal controls at the vendor with mitigating or complementary controls

Service Auditor Impacts

Service organizations rely on service auditors to provide independent assessments on the design, function, and operation of internal controls. Business disruptions, such as those above, can affect the process of working with a service auditor.

Here are some considerations:

  • Audit approach and timing. Working through an audit in a virtual environment can create a need for clear communication protocols, lengthened timelines, and frequent touch points. Assess if COVID-19 impacts are sufficient to adjust the audit period.
  • Test procedures. Additional procedures may need to be performed because of operational impacts.
  • Documentation and presentation. If evidence has only been available in a physical format in the past, organizations and auditors will need to collaborate on collection or other means of testing.
  • Disclosure and impacts. Planning becomes a critical step in the audit process to ensure any complications have been considered and an appropriate response or alternative method has been developed.

We’re Here to Help

With so much change, it’s important for management to assess if the service organization’s system and controls changed as a result of government stay-at-home mandates and other restrictions. It’s also time to update your organization’s risk assessment and look at modifying management’s description and assertion in any SOC reports.

By assessing how COVID-19 affects the internal controls of an organization, it’s possible for both service organizations and service auditors to take the required steps needed to mitigate the risk of unforeseen issues that could negatively influence the control environment and adversely impact SOC reporting.

For help on next steps with your SOC reporting, contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: