INTRODUCTION – The SOC 2 Reporting and COVID-19.
COVID-19, the most buzzed word these days, is a virus that has not only impacted the health of humans but has also affected almost every industry in the world including organizations (user organizations) relying on other companies (service organizations) to provide their services. Companies have either shifted their staff to remote environments or laid off their workers. Organizations looking for a SOC (System and Organization Controls) report from their service organizations are in a dilemma as to whether they will be able to get a renewed report or not for the COVID year. If your customers and the related stakeholders do not perform SOC reports on a timely basis, it could influence their business objectives.
Further, the entities who issue SOC reports (i.e. independent third-party audit firms), are anxious about how to support the remote attestation of controls during this time when companies have a reduced headcount, decreased revenues, and ceased operations due to government / mandatory requirements to continue operations. Remote assessment of risks and attestation either of internal controls over financial reporting (SOC 1) or AICPA’s trust service criteria (SOC2) without being physically present at
the client location has become a big challenge. However, the business must go on so should the SOC reporting.
In this article, we will be touching upon the considerations that should be taken care of by service & user organizations as well the third-party auditors during the pandemic scenario.
Service organizations should evaluate their Operations and IT environments to determine if any controls have been impacted.
The company should examine any impact on the functioning of controls caused by a reduced number of employees and any SoD (segregation of duties) conflicts should be addressed using additional monitoring controls
The new user provisioning/user termination processes should operate effectively with sufficient authentication of remote users.
Supplementary guidance on remote work cyber security practices should be communicated to staff working from a remote location.
Security of applications enabled for remote work should be taken care of along with the implementation of multi-factor authentication (MFA) which should be required for all critical systems.
Service organizations should discuss the procedures around video conferencing to perform virtual walkthroughs with their service auditors.
As a receiver of the SOC 1 and/or SOC 2 reports, they should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations, and SOC 2 reports, should have frequent communications with their vendors to discuss whether COVID-19 has impacted their operations and their SOC report. The following things should be considered as one review of the SOC reports where the evaluation period includes the timing of the pandemic.
The SOC report should be reviewed for any disclosures on changes to the system, operations, or controls due to the impact of COVID-19. An assessment should be done to identify if any change impacts you and your reliance on the SOC report.
The SOC report should also be reviewed for any exceptions and you can expect to have an increased number of exceptions within your service organizations due to the pandemic. These exceptions and their corresponding impacts should also be evaluated.
The complementary user entity considerations should be reviewed. Analysis should be done if the service provider has included any additional items due to any changes in the controls or system description.
Learn More to visit Taxation
Assessors / Auditors
The following key aspects should be considered by the auditor while performing a third-party assessment remotely.
The risk associated with key personnel should be evaluated and the organization should have adequate personnel available to support critical business and IT functions.
Changes related to the organizational structure should be assessed and their possible impact on the segregation of duties should be analyzed.
The organization’s Disaster Recovery and Business Continuity Plans should be evaluated and appropriate changes should be suggested as required in a pandemic situation.
Keeping in consideration the travel restrictions, Distance Audit methods such as video conferencing should be used to perform virtual walkthroughs like physical security walkthroughs of buildings and data centers to ensure security measures and environmental protection methods are adopted.
For the controls not operating during the testing period due to the pandemic situation, auditors should simply add an additional rationale in the report explaining the reason. However, the overall report opinion is not modified.
For exceptional cases, an annual control can be rescheduled to occur in future months, as long as it is still within your SOC examination period. In other instances, those activities may be performed virtually. You can also visit the below link to read AICPA articles related impact of COVID-19 on audit and assurance.
Please contact us if you would like to discuss this topic or if you have any queries related to SOC reporting.