Senior Consultant | Risk Advisory Services
Because of COVID-19 many businesses have been forced to change how they operate. More employees than ever before are working remotely and whether you have realized it or not, your control environment has changed. Significant changes to your systems have been made or changes in the way controls are performed have taken place, and it’s time to start thinking about how the pandemic will affect your SOC 1® and/or SOC 2® reporting.
SOC Reporting Consideration #1: Review and Assess New and Changing Risks Due to COVID-19
The pandemic brought changes. Due to theses changes there are elevated risks that involve fraud, noncompliance with applicable laws (that are changing rapidly), vulnerabilities in your system, and changes in your controls or the temporary suspension or substitution of some controls. Likewise, your organization’s risks have likely changed, and your risk assessment should be updated to assess the effectiveness of your new environment and to identify any gaps that are present where new controls need to be implemented. We recommend starting with your pre-pandemic risk assessment and consider whether any new risks exist that aren’t addressed by existing controls and what controls are possibly less effective now in the COVID-19 world.
SOC Reporting Consideration #2: Accounting for System and Control Modifications
Changes have most likely been made to your operations. Any changes to your workforce, operations and/or processes need to be considered when you’re evaluating your entities systems and controls. Some of the things you will want to consider:
- Increases to your public network infrastructure (such as Virtual Private Networks or firewalls) – Did any changes to these systems, or the introduction of new systems change the way related controls operate?
- Shifting of responsibilities to different employees or locations – Do the individuals now responsible for the controls have a clear understanding of how and why they operate, what documentation is necessary to support the design and operation of the controls?
- Changes in the availability of key personnel due to a remote workforce or a reduction in workforce – Will these changes impact your ability to meet your user entity commitments and requirements?
- Different vendor risks – The risks associated with your business partners have almost certainly changed alongside your own changes, so have you accounted for the controls they should be operating?
- New and modified controls, and software enhancements - Have you considered the impact of any changes to controls or software solutions and how supporting documentation needs to be maintained to support control design and operation for the entire SOC covered period? Or how about the suspension or substitution of controls, and changes in the limits or tolerances of controls because of these changes?
SOC Reporting Consideration #3: Management’s Description of the System
Because changes have been made to system and controls the management team needs to start considering how these changes will be communicated in the management’s description in the report. Think about if changes need to be made in the services you are providing, location changes, organizational structure and the number of employees as well as the affect this has on the control environment and significant changes made in the design and monitoring of controls. If control objectives were not met for your SOC 1® or SOC 2® report, an additional disclosure relating to the COVID-19 pandemic that includes significant events that prevented the achievement of these objectives may want to be included.
SOC Reporting Consideration #4: Management’s Assertion
It’s important to consider the concerns of the organizations that are relying on the information in the SOC reports. The Management Assertion may need to be updated to reflect control changes and communicate to user entities any serious deficiencies regarding the operating effectiveness of the controls due to the COVID-19 pandemic. If changes are still being made to your systems or controls, you may also make the decision to delay issuing the report. Make sure that you are communicating any report timing changes. The basis for your assertion also needs to be considered. Make sure that management has evaluated whether additional procedures should be implemented and performed. A basis for the management assertion is required for SOC reporting and considerations should be made regarding system and control changes in the review period, procedures that were performed for a managements basis before the pandemic started, and procedures that could not be performed after the pandemic.
If you would like to learn more about SOC Reporting considerations due to COVID-19 or would like help with your organization, our Risk Advisory Services team can work with you.