Unexpected disruption, such as the COVID-19 pandemic, can uproot our definition of normal. As organizations settle into their new normal, it’s important that management identifies, analyzes, and mitigates evolving risks.
System and organization controls (SOC) reports help organizations build trust and confidence in the service performed for other entities. Each type of SOC examination, commonly referred to as a SOC audit, can help service organizations meet their specific user needs.
There are three reports prepared by independent CPA firms—SOC 1, SOC 2 and SOC 3—as well as SOC audits for cybersecurity.
Through timely and proactive action, management can work with SOC examiners so the new normal doesn’t erode the trust and hard work of protecting the security, availability, confidentiality, processing integrity, and privacy of customer data.
Organizations can be affected by disruption in multiple ways. Identifying core processes and critical business objectives allows for pivoting and adapting organization resources where required.
While not a complete list, following are seven major consequences of disruption that can directly impact internal controls, planned or ongoing SOC audits, and next steps for management.
Given the widespread disruption that occurred during the pandemic, from supply chain challenges to financial struggles, changes or disruptions in the business cycle can materially alter the enterprise risk profile.
A work-from-home strategy could impact management’s internal controls, from execution controls and VPN access to assessing the infrastructure changes required to support a large remote workforce.
There can be changes in evidence that support the performance of controls that may need to be paused, such as on-site assessments for critical vendors. This could be an important discussion with your SOC examiner.
Management can consider automating internal controls for one of two reasons:
If a reduction in workforce is part of your new environment, management must stay cognizant of changes to business processes that negate controls designed to ensure segregation of duties within responsibilities and privileges.
This includes checking for appropriate coverage for user access appropriateness reviews as well as ensuring developers aren’t charged with migrating code to production environments.
Review current and revised practices so segregated duties aren’t adversely affected because of operating control changes.
An increased reliance on collaboration tools and technologies for remote workers has marked an increase in phishing attempts and ransomware attacks. In addition, changes in regular operations may mean that standard monitoring controls are no longer taking place.
Vendors and subservice providers may have made changes to their compliance programs, internal controls, and complementary user entity controls.
Organizations rely on service auditors to provide independent assessments on the design, function, and operation of internal controls. Business disruptions can affect the process of working with a service auditor.
Here are some considerations:
With so much change, it’s important for management to assess if an organization’s system and controls changed. Update your organization’s risk assessment and look at modifying management’s description and assertion in any SOC reports.
By assessing how the post-pandemic environment affects the internal controls of an organization, it’s possible for both service organizations and service auditors to take the required steps needed to mitigate issues that could negatively influence the control environment and SOC reporting.
For help on next steps with your SOC reporting, contact your Moss Adams professional or visit our SOC Examinations page to learn more.
Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.