The Implications of COVID-19 on SOC Reports
The world as we knew it has been rocked by the global COVID-19 pandemic and the resulting economic disruption. Organizations of every size are adapting their workforce responsibilities and internal control environments to reflect changes in their operations. This includes vendors and service organizations that provide critical financial and information processing solutions.
Many are assessing their internal controls in light of the remote work environment created by COVID-19, or may be facing additional questions from their clients or auditors about their remote work control environment. Cybersecurity issues and phishing schemes have also become more common during the pandemic. As a result of the remote work and information security risks that have occurred, more organizations may be asked additional security assessment questions or face deeper scrutiny on their existing System and Organization Controls (SOC) reports. As part of ongoing SOC planning efforts, companies should have a heightened awareness of evolving risk factors such as those represented below.
During the spring of 2020, at the height of the pandemic, cybersecurity became a significant business issue. There were 1,448 malicious COVID-19-related threats reported in February 2020, and 8,319 reports as of March 16, 2020. Many threats came through phishing email messages designed to “hack and leak” companies’ and employees’ information.
Now, your clients, their financial statement auditors, and/or your SOC auditors may be asking additional questions about cybersecurity, including what your organization did to secure its information while most employees had to, or continue to, work from home. An increased awareness and focus on change management and security patches will likely result. In addition, monitoring of firewalls and incident management will take on added scrutiny.
Impact of Staffing Reductions
Many IT teams faced an increased workload as they helped their organizations’ employees transition to a remote work environment and access key systems — securely — from their homes. Availability may have also been affected by COVID-19, as employees juggled the impact closures had on childcare arrangements or were called to assist family members who contracted the virus. This may have resulted in teams having to do more with fewer people, which may have allowed for potential risk exposures that had not been an issue in the pre-COVID-19 environment.
Teams faced with reduced staff should be having proactive discussions with their service auditor to discuss options on maintaining a strong control environment under reduced efforts. At the end of the day, a control environment needs to be cost effective with the benefits outweighing the risks it is mitigating.
Remote Access Testing
Historically, SOC engagement teams have primarily focused their attention on on-site access to networks and applications. SOC clients should be prepared for more questions (and testing) on how remote access operates. It would be prudent to review key IT security controls and verify that remote access considerations, such as the use of Virtual Private Networks (VPNs) and two-factor authentication are being assessed and highlighted within the SOC report.
Third Party Risk Management
While companies are being instructed to look into their own internal controls during this period, this evaluation should be extended to vendors and subservice providers with whom they do business as well. As most companies nowadays are reliant upon someone else to manage some component of their operations, companies should be asking the question of their vendors, “What additional control measures are you putting in place to address the heightened risks in lieu of COVID-19?”
Service level agreements, if not already in place, should be formalized and management should be reviewing these reports on a recurring basis to ensure minimum required standards are being achieved.
Data Center Issues
A large number of companies utilize offsite data storage facilities either via cloud providers or local data center providers. Most SOC reports continue to have some element of physical access controls related to management of access to these facilities. With work-from-home orders in place across the country, some data centers are being forced to limit on-site staff. Your organization should be prepared for how its data centers handled the work-from-home scenarios and potential changes it may have implemented for safety, such as modifications to data center visitor policies.
Business Continuity Planning & Disaster Recovery
Due to COVID-19, many organizations are caught in the uncomfortable position of performing a live business continuity planning (BCP) or disaster recovery (DR) test. Businesses quickly learned to adapt to a fully remote environment in a short period of time. As part of this live exercise, however, some organizations may have discovered they did not have sufficient VPN licenses for concurrent users, or had to scramble to get the licensing and protocols needed to restore secure access to key systems. These lessons learned, along with a fresh evaluation of the comprehensiveness of BCP/DR programs, are just a couple of considerations for companies in the-COVID-19 environment.
In addition, organizations undergoing SOC testing should be prepared to answer additional questions around BCP/DR evaluation. Questions may arise around what BCP or DR protocols were tested, when they were tested, and how extensive the testing was (i.e., was it a tabletop exercise or were full capabilities evaluated?).
Preparing for Other SOC Report Changes
Other factors may also make the SOC report different this year than in a pre-COVID-19 scenario. To the extent your organization knows, you should notify your clients if you anticipate any changes in your annual SOC report in light of COVID-19. For example, on-site access may still be limited or the testing may take a little longer due to personnel availability, which could delay the issuance of your SOC report. Bear in mind that changes to the timing of SOC reporting could impact your client’s financial audit or other customer/vendor requirements.
For more information about SOC reporting, visit us here or you may contact Scott Woznicki, the National SOC Practice Director.
Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).