SOC Reporting in a COVID-19 World

With the disruption resulting from COVID-19, organizations of every size are adapting their workforce responsibilities and internal control environments to reflect changes in their operations. This includes vendors and service organizations that provide services to customers who are dependent on their performance.

As a service organization, what is your responsibility to convey control environment changes and disruptions to your customers? Here are some areas to consider to help you maintain your control environment and properly communicate through your SOC report. More importantly, they will help your organization demonstrate transparency and commitment to your customers when they rely on you the most.

1. Risk Assessment, Risk Assessment, Risk Assessment. First and foremost, your organization should re-perform your risk assessment through the lens of COVID-19 operations. New controls require time, resources, and of course, money to implement and operate, so you want to be sure you are getting the highest value for your dollar when you implement new controls. A thorough risk assessment will help identify truly vulnerable areas and guide your decision making.

This risk assessment should be specific to your control environment. Here are a few questions to ask:

• What has changed in our operation (i.e. organization structure, remote work, new service, new tools) since COVID-19?
• Which of our controls (i.e. automated system controls, configurations, alert monitoring) will continue to operate as previously designed regardless of new COVID-19 operations?
• Which controls (i.e. manual, physical) do not operate as designed?

At a minimum, your risk assessment should identify specific threats to achieving your service commitments, system requirements, and business objectives as well as controls in place to mitigate the risk of those threats.

2. Take Action and Monitor. Once you have completed your risk assessment, take action on the items you have identified. Be sure to monitor control operation after implementation. Do this quickly. A type 2 SOC Report covers a period of time, so the quicker you implement mitigating controls the more limited the impact will be on your report. We recommend that you create new policy and/or procedure documents to help control owners and operators understand their roles and responsibilities for the new control operation. Initially, you should be sure to spot check the control operation frequently to ensure the new control is up and running effectively.

3. Understand Reporting Impact. Discuss with your SOC provider how this change will impact your report. Management is required, by the standard, to disclose significant changes in the internal control environment and instances of controls not operating. Your SOC provider can guide you through these disclosures and help identify other SOC reporting tactics through contemplating the following questions:

• Should your examination period be revised to account for significant changes in the environment?
• Do you need to disclose non-operation of controls if you have designed, developed, and implemented mitigating controls?
• Do you add an ‘emphasis of matter’ paragraph to your opinion to describe to your readers what you did during the impacted period?

These steps will allow you to continue to serve your clients and customers with as few disruptions as possible. Over time, you should repeat these steps as you begin to navigate the path back to normal operations. You may even find that disruptions from the pandemic led you to new and better ways to operate in the future.

Weaver can help you evaluate your SOC report control environment to ensure compliance. Contact us for more information.

Authored by Neha Patel, CPA, CISA, and Alexis Kennedy, CPA, CISSP, CISA, CCSFP.

© 2020