Article written by:
Michael Dickson, CPA, CITP, CISA, CISM, CRISC
Director of Information Technology Services
Recent orders to stay at home are forcing unprecedented changes to our daily routines; where we work, where we go, and with whom we meet. The impact on businesses of all sizes is profound. The decisions made today are likely to have a long-term impact on your company.
System and Organization Controls (SOC) examinations are designed to test the operation of information technology and business process internal control systems that a company has implemented to protect the security of its customer’s data (SOC 2), or ensure the accuracy and completeness of financial transaction processing and reporting (SOC 1). If your customers and the related stakeholders do not perform SOC reports on a timely basis, it could influence their business objectives.
Presented below are a few of the most frequently asked questions we have received from clients, and prospective clients, about how COVID-19 could impact the initiation, continuation or completion of a SOC engagement.
1. Will The COVID-19 Pandemic Have An Impact On Future SOC Engagements?
Yes. While we think it is likely to impact how future SOC reports will be administered, the examination itself will not need to change much. One of the entity-level control activities in a SOC 1 or SOC 2 report is the risk assessment process, which includes the identification of, and response to, changing threats and risks. COVID-19 has changed our historical reality. Working remotely changes everyday business processes, and these changes may “break” some of the built-in controls in those processes. Additionally, threats and risks to information technology general controls (SOC 1), and to the Security, Availability, Confidentiality and Processing Integrity of your systems and related customer data (SOC 2), are also likely to be changed, which all need to be reflected in your current risk assessment process.
2. One Or More Major Customers Have Requested A SOC Report And We Committed To Complete A SOC Examination In 2020. What Should We Do?
Customers (and those who rely on your SOC reports) are likely to be more interested in a SOC report following a pandemic, such as we are experiencing with COVID-19, so asking for deferrals may be problematic. The good news is that even under the pressures of reduced and work-from-home staff, the process of completing your SOC engagement can be managed by use of collaborative technologies (i.e. Zoom or Go-to-Meeting) for interviewing, screen and document sharing. In addition, within the past year, GBQ implemented new web-based tools to streamline the process of requesting and collecting audit evidence.
While it is ideal to conduct face-to-face interviews for some of the walk-throughs and interviews, we have found that video conferencing with one or more of your staff can be just as effective for us to gain an understanding of your systems for a new engagement, or test the effectiveness of your controls for on-going engagements.
3. Our Systems Were Designed And Configured To Restrict Remote Access, Which Prevents Us From Collecting And Providing The Items You Request For The SOC Exam. How Will That Affect The SOC Examination?
Restricting remote access to systems is a common and recommended logical access control, so this is a very likely situation. Typically, IT security officers or network administrators have restricted remote access to only those individuals that require it. Often times, existing technologies can be reconfigured to allow access for additional essential personnel in a secure manner. Sometimes the architecture designed and used by a few IT administrators to remotely access and support the systems is not adequate or suitable for enabling all staff to access the normal business systems. GBQ’s IT Services team can quickly review your systems and recommend alternative options for implementing secure remote access for those that require it.
With many businesses moving their production systems to the cloud, changing access configurations so authorized staff can directly access their cloud-based applications (such as within Amazon Web Services (AWS) or Microsoft Azure) from home, rather than by connecting through the office network, can be accomplished quickly and securely.
4. Our Staff Has Been Furloughed And Many Of Our Controls Did Not Operate Normally, Or Documentation Was Not Gathered Properly. What Impact Will This Have On Our Report?
It is common for a control to not operate during the testing period. Usually, this is due to a triggering event upon which the control operations did not occur, such as not experiencing a high-risk security incident that would trigger your incident response plan. When this occurs, the auditor simply adds an explanatory comment to the auditor’s report, however, the opinion is not modified.
Keep in mind, it is important that critical control points continue to operate as regularly as possible, such as scheduled meetings to review risk assessments, review policies, periodic user access reviews, or ticketing for timely removal of terminated user access. In some instances, an annual control could be rescheduled to occur in future months, as long as it is still within your SOC examination period. In other instances, you may need to perform those activities virtually. Either way, GBQ strongly recommends that controls don’t go by the wayside, as providing the requested evidence for the examination will become more challenging.
Please see GBQ’s COVID-19 Resource page for additional insights, alerts, and useful resources related to COVID-19, or contact members of GBQ’s Information Technology Services team to discuss this information in more detail.