How Unexpected Disruptions Could Impact a SOC Report

Jared James, Partner, IT Consulting Services
Chris Kradjan, Partner, IT Consulting Services
Raveen Bhasin, Senior Manager, IT Compliance Services

This article was updated September 15, 2022.

Unexpected disruption, such as the COVID-19 pandemic, can uproot our definition of normal. As organizations settle into their new normal, it’s important that management identifies, analyzes, and mitigates evolving risks.

System and organization controls (SOC) reports help organizations build trust and confidence in the service performed for other entities. Each type of SOC examination, commonly referred to as a SOC audit, can help service organizations meet their specific user needs.

There are three reports prepared by independent CPA firms—SOC 1, SOC 2, and SOC 3—as well as SOC audits for cybersecurity and SOC audits for supply chain.

Through timely and proactive action, management can work with SOC examiners so the new normal doesn’t erode the trust and hard work of protecting the security, availability, confidentiality, processing integrity, and privacy of customer data.

Business Impacts for SOC Audits

Organizations can be affected by disruption in multiple ways. Identifying core processes and critical business objectives allows for pivoting and adapting organization resources where required.

While not a complete list, following are seven major consequences of disruption that can directly impact internal controls, planned or ongoing SOC audits, and next steps for management.

1. Business and Market Disruptions

Given the widespread disruption that occurred during the pandemic, from supply chain challenges to financial struggles, changes or disruptions in the business cycle can materially alter the enterprise risk profile.

Management Next Steps
  • Review impact to business, system, controls, and other reporting factors
  • Revisit your enterprise risk management protocol and conduct a supplementary risk assessment to help assess if appropriate internal controls provide coverage for unexpected threats
  • Update your understanding of system description, risks, and controls

2. Remote Workforce

A work-from-home strategy could impact management’s internal controls, from execution controls and VPN access to assessing the infrastructure changes required to support a large remote workforce.

Management Next Steps
  • Understand and discuss the impact of a remote workforce with your SOC examiner
  • Explore monitoring controls for tools to maintain the integrity and security of your systems
  • Review policies and procedures to ensure acceptable use is clearly defined along with other relevant policies such as data classification, handling, and removal
  • Reassess physical access and monitoring controls for facilities with sensitive data and equipment

3. Control Change, Pause, or Loss

There can be changes in evidence that support the performance of controls that may need to be paused, such as on-site assessments for critical vendors. This could be an important discussion with your SOC examiner.

Management Next Steps
  • Identify which controls will and won’t continue to function as designed
  • Consider how physical media that’s used in operations is stored, retained, or disposed of
  • Modify office network restricted environments to limit traffic to approved personnel.

4. Automated and Manual Controls

Management can consider automating internal controls for one of two reasons:

  1. Compensate for reduced workforce levels and remote employees
  2. Increase efficiency
Management Next Steps
  • Approach your new normal as an opportunity to make refinements and improvements to business processes and internal controls
  • Discuss with your SOC examiner any changes to controls during an updated SOC audit timeframe

5. Modified Segregation of Duties and Responsibilities

If a reduction in workforce is part of your new environment, management must stay cognizant of changes to business processes that negate controls designed to ensure segregation of duties within responsibilities and privileges.

This includes checking for appropriate coverage for user access appropriateness reviews as well as ensuring developers aren’t charged with migrating code to production environments.

Management Next Steps

Review current and revised practices so segregated duties aren’t adversely affected because of operating control changes.

6. Monitoring Activities

An increased reliance on collaboration tools and technologies for remote workers has marked an increase in phishing attempts and ransomware attacks. In addition, changes in regular operations may mean that standard monitoring controls are no longer taking place.

Management Next Steps
  • Maintain a vigilant eye through robust monitoring controls to counteract threats
  • Evaluate if you can still obtain sufficient audit evidence
  • Perform a check that all monitoring functions remain in effect and monitoring results continue to be documented for eventual use as audit evidence

7. Subservice Organizations and Vendors

Vendors and subservice providers may have made changes to their compliance programs, internal controls, and complementary user entity controls.

Management Next Steps
  • Ask critical vendors and subservice providers about the steps they’re taking to mitigate risk
  • Preempt any changes to complementary user entity controls, also known as CUECs, or internal controls at the vendor with mitigating or complementary controls

Service Auditor SOC Report Impacts

Organizations rely on service auditors to provide independent assessments on the design, function, and operation of internal controls. Business disruptions can affect the process of working with a service auditor.

Here are some considerations:

  • Audit approach and timing. Working through an audit in a virtual environment can create a need for clear communication protocols, lengthened timelines, and frequent touch points. Assess if impacts are sufficient to adjust the audit period.
  • Test procedures. Additional procedures may need to be performed because of operational impacts.
  • Documentation and presentation. If evidence was only available in a physical format in the past, organizations and auditors will need to collaborate on collection or other means of testing.
  • Disclosure and impacts. Planning becomes a critical step in the audit process to ensure any complications have been considered and an appropriate response or alternative method has been developed.

We’re Here to Help

With so much change, it’s important for management to assess if an organization’s system and controls changed. Update your organization’s risk assessment and look at modifying management’s description and assertion in any SOC reports.

By assessing how the post-pandemic environment affects the internal controls of an organization, it’s possible for both service organizations and service auditors to take the required steps needed to mitigate issues that could negatively influence the control environment and SOC reporting.

For help on next steps with your SOC reporting, contact your Moss Adams professional or visit our SOC Examinations page to learn more.

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

Guide | SOC Reports: Protect the Integrity of Your Internal Controls
Webcast | Increase Customer Confidence with Improved SOC Examinations
Trust Services Criteria for SOC 2 Examinations May Require Changes
SOC for Cybersecurity: How to Check the State of Your Cyber risk Program and Build Stakeholder Confidence

Contact Us with Questions

Enter security code:
 Security code