As the COVID-19 pandemic brings ongoing change to our world, organizations are facing unique challenges like sustaining day-to-day operations and preparing for the new normal that’s ahead. A key area affected by the COVID-19 pandemic is your control environment and service commitments to customers, so all organizations need to pay close attention to their SOC compliance and reporting initiatives.
Here are the top five actions to take for SOC 1 and SOC 2 reporting and compliance during the COVID-19 pandemic.
1. Perform a risk assessment.
It’s very likely that your risk environment has changed during the course this pandemic, which means how you prioritize your risks has also changed. For many organizations, business continuity has risen to the top of the list. And while many companies might have already implemented a bring-your-own-device (BYOD) policy or a work-from-home policy, many didn’t, leaving them scrambling to adapt to new remote work styles.
It’s very likely that your risk environment has changed during the course this pandemic, which means how you prioritize your risks has also changed.
Reevaluate your risk assessment and update your risk treatment plan to minimize the impact on your control environment. As you do, ask the following questions:
- What are the greatest risks your organization faces right now, and how are they impacting operations?
- What controls are in place to mitigate these risks?
- What additional controls need to be implemented, or how should current controls be modified to further mitigate additional risk factors?
- Have these risks been documented in our overall risk assessment and impact analysis?
Asking these questions, and taking the steps indicated by the answers, helps your organization better understand where it needs to implement and monitor control activities both to prevent additional vulnerabilities and to continue operations as normally as possible given the circumstances.
2. Evaluate your business continuity plan.
Hopefully, your organization had a business continuity plan (BCP) in place and periodically tested it. If not, take this opportunity to implement one — or test your existing plan — and make modifications as necessary.
In particular, be sure to evaluate how your BCP is being implemented during the COVID-19 crisis. For example, perhaps it took longer than anticipated to resume operations in your new environment, or maybe you are monitoring your security cameras remotely instead of being onsite. Identify the reasons why and how the process can be more efficient in the future.
3. Redesign and implement controls.
Our risk environment has changed, and risks have been reclassified. As a result, controls need to be reevaluated as well. If your organization is sustaining operations via a remote work environment, what controls are operating on a less-frequent basis, or not at all? Perhaps, for example, you disabled some biometric security features or made changes to the background check process for new hires. If any of your controls rely on physical inspection, handwritten signatures, or any activity that cannot feasibly be performed remotely, what else can you do? Is it time to consider increased automation?
If any of your controls rely on physical inspection, handwritten signatures, or any activity that cannot feasibly be performed remotely, what else can you do?
Or, perhaps a control activity that was performed monthly is now being performed less frequently, or an activity that previously was performed annually now needs to occur more frequently. Regardless of the specific changes you identify, it’s important to consider, document, and implement the appropriate new controls in order to mitigate the risk of not meeting your service commitments.
4. Continue to monitor your controls remotely.
You must continue to monitor and evaluate your control environment, even remotely. While your monitoring and evaluation activities may change, they should still accomplish the same goals. For example, physically signing off on documents as a means of review could be changed to an electronic signature — different means to the same end.
As you monitor and evaluate your control environment for SOC compliance, ask the following questions:
- How is your organization monitoring current control activities to protect information while meeting customer demands?
- Is your company evaluating specific controls required by certain compliance initiatives and adjusting as necessary?
5. Understand how the pandemic could affect SOC reports.
Be sure to work with your service auditor to evaluate how your SOC 1 and SOC 2 reports will be impacted. Will you need to modify your current controls and implement mitigating controls? Will these changes need to be disclosed? Should you consider extending or modifying your reporting period?
Management is required to disclose changes to the control environment in its SOC reports. Even if your control environment hasn’t been significantly impacted by the pandemic, it may be helpful to readers to disclose that. That said, government-imposed restrictions and internal policies designed to protect the health and safety of your employees may preclude you from physically performing certain controls. The key is to disclose the circumstances that prevented you from performing the controls with sufficient clarity to the readers of your report. If you revised your risk assessment and risk treatment plan, you’ll already have the answers to address customer concerns — that is, you’ve implemented mitigating controls.
Due to the impact of COVID-19, your organization may not be able to support a SOC examination at this time. Your teams, especially your IT and security teams, likely are focusing on maintaining and supporting your remote working capabilities. If you don’t have the capacity to support a SOC examination, work with your service auditor to modify or extend your reporting period.
Finally, ensure you’re communicating any SOC reporting delays or issues to your customers proactively. Your customers may be relying on your report for their own financial reporting or vendor management needs during this unprecedented time. The more communication you have with them about delays or other issues, the better positioned you’ll be to meet their needs.
Prepare to restart.
As you think about resuming operations in a post-crisis new normal, remember that it won’t happen at the flip of a switch. As you begin the transition, you’ll need to address changes made during the crisis. Don’t risk long-term, negative impacts of some of those decisions — decisions that can put your audits at risk and affect your customer and vendor service commitments. Our Cybersecurity and COVID-19: Near-term steps to respond, restart, and be ready guide will help you manage the crisis. As always, if you have any questions, feel free to contact us anytime.