How Unexpected Disruptions Could Impact a SOC Report

Jared James, Principal, IT Consulting Services
Chris Kradjan, Principal, IT Consulting Services
Raveen Bhasin, Director, IT Compliance Services

July 8, 2020 | Updated September 15, 2022
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
unusual architecture

Unexpected disruption, such as the COVID-19 pandemic, can uproot our definition of normal. As organizations settle into their new normal, it’s important that management identifies, analyzes, and mitigates evolving risks.

System and organization controls (SOC) reports help organizations build trust and confidence in the service performed for other entities. Each type of SOC examination, commonly referred to as a SOC audit, can help service organizations meet their specific user needs.

There are three reports prepared by independent CPA firms—SOC 1, SOC 2 and SOC 3—as well as SOC audits for cybersecurity.

Through timely and proactive action, management can work with SOC examiners so the new normal doesn’t erode the trust and hard work of protecting the security, availability, confidentiality, processing integrity, and privacy of customer data.

Business Impacts for SOC Audits

Organizations can be affected by disruption in multiple ways. Identifying core processes and critical business objectives allows for pivoting and adapting organization resources where required.

While not a complete list, following are seven major consequences of disruption that can directly impact internal controls, planned or ongoing SOC audits, and next steps for management.

1. Business and Market Disruptions

Given the widespread disruption that occurred during the pandemic, from supply chain challenges to financial struggles, changes or disruptions in the business cycle can materially alter the enterprise risk profile.

Management Next Steps
  • Review impact to business, system, controls, and other reporting factors
  • Revisit your enterprise risk management protocol and conduct a supplementary risk assessment to help assess if appropriate internal controls provide coverage for unexpected threats
  • Update your understanding of system description, risks, and controls

2. Remote Workforce

A work-from-home strategy could impact management’s internal controls, from execution controls and VPN access to assessing the infrastructure changes required to support a large remote workforce.

Management Next Steps
  • Understand and discuss the impact of a remote workforce with your SOC examiner
  • Explore monitoring controls for tools to maintain the integrity and security of your systems
  • Review policies and procedures to ensure acceptable use is clearly defined along with other relevant policies such as data classification, handling, and removal
  • Reassess physical access and monitoring controls for facilities with sensitive data and equipment

3. Control Change, Pause, or Loss

There can be changes in evidence that support the performance of controls that may need to be paused, such as on-site assessments for critical vendors. This could be an important discussion with your SOC examiner.

Management Next Steps
  • Identify which controls will and won’t continue to function as designed
  • Consider how physical media that’s used in operations is stored, retained, or disposed of
  • Modify office network restricted environments to limit traffic to approved personnel.

4. Automated and Manual Controls

Management can consider automating internal controls for one of two reasons:

  1. Compensate for reduced workforce levels and remote employees
  2. Increase efficiency
Management Next Steps
  • Approach your new normal as an opportunity to make refinements and improvements to business processes and internal controls
  • Discuss with your SOC examiner any changes to controls during an updated SOC audit timeframe

5. Modified Segregation of Duties and Responsibilities

If a reduction in workforce is part of your new environment, management must stay cognizant of changes to business processes that negate controls designed to ensure segregation of duties within responsibilities and privileges.

This includes checking for appropriate coverage for user access appropriateness reviews as well as ensuring developers aren’t charged with migrating code to production environments.

Management Next Steps

Review current and revised practices so segregated duties aren’t adversely affected because of operating control changes.

6. Monitoring Activities

An increased reliance on collaboration tools and technologies for remote workers has marked an increase in phishing attempts and ransomware attacks. In addition, changes in regular operations may mean that standard monitoring controls are no longer taking place.

Management Next Steps
  • Maintain a vigilant eye through robust monitoring controls to counteract threats
  • Evaluate if you can still obtain sufficient audit evidence
  • Perform a check that all monitoring functions remain in effect and monitoring results continue to be documented for eventual use as audit evidence

7. Subservice Organizations and Vendors

Vendors and subservice providers may have made changes to their compliance programs, internal controls, and complementary user entity controls.

Management Next Steps
  • Ask critical vendors and subservice providers about the steps they’re taking to mitigate risk
  • Preempt any changes to complementary user entity controls, also known as CUECs, or internal controls at the vendor with mitigating or complementary controls

Service Auditor SOC Report Impacts

Organizations rely on service auditors to provide independent assessments on the design, function, and operation of internal controls. Business disruptions can affect the process of working with a service auditor.

Here are some considerations:

  • Audit approach and timing. Working through an audit in a virtual environment can create a need for clear communication protocols, lengthened timelines, and frequent touch points. Assess if impacts are sufficient to adjust the audit period.
  • Test procedures. Additional procedures may need to be performed because of operational impacts.
  • Documentation and presentation. If evidence was only available in a physical format in the past, organizations and auditors will need to collaborate on collection or other means of testing.
  • Disclosure and impacts. Planning becomes a critical step in the audit process to ensure any complications have been considered and an appropriate response or alternative method has been developed.

We’re Here to Help

With so much change, it’s important for management to assess if an organization’s system and controls changed. Update your organization’s risk assessment and look at modifying management’s description and assertion in any SOC reports.

By assessing how the post-pandemic environment affects the internal controls of an organization, it’s possible for both service organizations and service auditors to take the required steps needed to mitigate issues that could negatively influence the control environment and SOC reporting.

For help on next steps with your SOC reporting, contact your Moss Adams professional or visit our SOC Examinations page to learn more.

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Report
SOC Reports: Verify the Integrity of Your Internal Controls
One way to help test whether internal controls are in place and operating effectively is to conduct a system and organization control (SOC) examination, also known as a SOC audit.
Report
Article
SOC 2 Trust Services Criteria
The criteria enhances SOC 2 reporting by providing greater coverage over IT governance and operational management. Learn more.
Article
Article
How SOC for Cybersecurity Audits Work
Mitigate cyber threats and build stakeholder confidence with a SOC for Cybersecurity audit.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.