Businesses are in a period of unprecedented change, from individuals connecting to their corporate systems from home to companies rapidly shifting strategies to support changing operational methods. While organizations may be struggling to determine what “business as usual” looks like, in a post-COVID-19 world, the needs for maintaining compliance and comprehensive audits are not changing.

The need for an overwhelming majority of professional staff members to connect remotely is having unexpected consequences throughout the technology world. Information security and  SOC reports remain a critical consideration for companies and their auditors everywhere. As companies transition to or from remote work environments, the AICPA continues to offer insight and guidance that will help companies retain their hard-won certifications and security levels.

What is a SOC Report?

A Service Organization Control (SOC) report provides independent assurance that a service organization has the right controls in place to address the risks related to security (SOC 2) and internal controls over financial reporting (SOC 1). There is also the SOC for Cybersecurity and the soon to be released SOC for Supply Chain which provide insights into the controls more specific to an organization’s cybersecurity framework or controls over supply chain management. All of these SOC reports provide assurance from an independent CPA firm that the service organization has designed and implemented an effective control environment over the different SOC criteria or control objectives for each related SOC. More information about preparing for a SOC report and the types of SOC reports can be found here.

Reassessing Risk Due to COVID-19 Pandemic Impact on Operations

It is vital to involve your service auditor anytime there are significant changes to your operations. During the COVID-19 pandemic, companies may have inadvertently added risks to their daily processes by reducing oversight or changing automated processes to those requiring human intervention. It is the service auditor’s responsibility to retain an appropriate level of professional skepticism when addressing these changes, all in an effort to identify and mitigate any potential risks for the organization. There may even be COVID-19-related disclosures that need to be included on any customer-facing information to retain compliance.

Performing Remote SOC Examinations

As staff members and service professionals continue following remote work procedures, there are likely to be changes to the standard SOC examination practices. The AICPA has offered extensive guidance for understanding what type of disclosures may be required for service organizations, as well as how auditors can perform a SOC examination remotely. Service auditors are briefed on these considerations before determining that a remote SOC examination could be validated:

  • Will the auditor have access to all relevant information while following appropriate social distancing guidelines?
  • Will the auditor be able to provide an opinion based on the evidence gathered?
  • Are the appropriate personnel available for an interview?

SOC auditors are looking for descriptions of systems, the suitability of the design, and even the operating effectiveness of controls in the instance of a type 2 examination. The lack of an appropriate SOC examination can have dramatic adverse effects on an organization, making it critically important to ensure that these processes can be followed within acceptable parameters.

Addressing Subsequent Events and Going Concern

If service auditors uncover processes or other organizational challenges that could impact the service organization’s ability to stay afloat, these issues should be brought to the attention of management. While there are no strict requirements around disclosures that an entity’s lifespan as a going concern is limited, the service auditor may determine that additional paragraph should be added to their report to draw attention to additional disclosures from management.

In a SOC engagement, service auditors should question management or their engaging party regarding any subsequent events or events leading up to the examination period that might impact the organization. While management may address these issues in the “Other Information” section of the SOC, the services auditor must then decide whether to highlight this activity in their report.

Do you Need Additional Management Representations?

In the unusual circumstances related to COVID-19, additional management representatives are often requested. These requests could include:

  • Effects of COVID-19 on the service organization, its operations, and technologies used in providing services
  • Any communications to customers and business partners about changes in service level agreements or commitments
  • Disclosure of all changes to systems and related controls due to COVID-19
  • Identification and assessment of new risks arising from changing to systems and related controls
  • Any concerns related to going concern
  • Reasons for changing from the use of inclusive method to the carve-out method for subservice organizations

Due to the nature of the COVID-19 pandemic, management representation letters that do not contain original signatures on corporate letterhead may be acceptable as long as there is clear and appropriate evidence showing that the signatory knowingly and willingly signed the letter electronically.

Disclosures Around Subservice Organizations

Under normal times, the use of subservice organizations may require additional planning and strategies before creating a connection. The need to rapidly adjust operations due to the impact of COVID-19 on an organization could include shifting processes to additional subservice organizations, but this change should be clearly disclosed during SOC examination. Changes in staffing levels at a subservice organization could impact operational processes, creating either financial instability or changes to service quality as a result of the pandemic.

If subservice organizations are unable to fully participate in the SOC examination process due to the lack of current resources, management may decide to shift models from an inclusive review method to a carve-out method to address the shortcoming. A component of this decision must also include whether the scope limitation could require the service auditor to modify their assertions or report.

There are many challenges that organizations are being forced to navigate as a result of the COVID-19 crisis, but a successful audit remains a primary concern for entities. Learn more about how you can ensure your organization remains fully compliant even during operational challenges by contacting us for a complimentary initial consultation with our team of professionals.