COVID-19’s Impact on SOC Controls and Testing
As businesses hastily sent office workers home in the face of a two week government stay-at-home order this past spring, most did not anticipate that the majority, if not all of their employees would continue to work remotely through at least the end of 2020. While some companies were able to smoothly transition to a work from home environment, many were caught unprepared for the number of computers, and in turn, VPN licenses, needed for their entire organization to work outside of the office. These needs were remedied as quickly as possible in order to keep their organizations running, but what other changes may have affected controls as a result of a remote workforce?
Impact on controls
The first, and most clear area that may need to be addressed is the documentation and audit trail for controls. If your company’s approval documentation was maintained in hard copy prior to the pandemic, it has probably switched to some form of an electronic process. Similar to retaining paper approvals when they were in hard copy, has a process for retention of electronic review and approval documentation been established in order to validate the review and approval workflow trail?
In addition to control documentation, the next most important control consideration is business continuity plans. Did anyone have worldwide pandemic as one of the threats addressed in their plans? While the answer to that question is no in almost all cases, hopefully your plans did include the response to a threat that required all work to be performed from outside of the office. If not, now is the time to update your plans while the steps you had to take are fresh in your mind. If so, how did reality compare to your plan? Are there additional steps or improvements that should be updated in your plans to more closely reflect reality?
A final suggestion related to your SOC controls — take some time to review your most recent report and verify that all controls are still functioning. Are there any periodic controls such as trainings and policy acknowledgements that have not been completed due to the changes? If not, undertake the necessary planning to accomplish these controls remotely. In addition, document any new controls that have been put in place or changes you’ve made to existing controls and verify that you are maintaining the necessary evidence for testing.
Impact on SOC examination
There are changes to the SOC audit process necessitated by both the audit firm and the service organization when working in a remote environment. At McKonly & Asbury, we have implemented changes to physical observations, control walkthroughs, and fieldwork.
In most cases, even if some of the service organization’s personnel have returned to the office, visitors are not allowed in the building at this time. Since observation of controls is a key part of the SOC audit process, these can be handled virtually via various video conferencing systems. Our firm has successfully used Zoom or Microsoft Teams, and FaceTime with the assistance of service organization personnel. If the service organization is still working 100% remotely, we have postponed physical observations until final fieldwork in the hope that conditions will improve enough to allow either a face-to-face meeting, or at least, the ability for the service organization personnel to go onsite and walk us through the facility using a video conferencing tool.
Similar to physical control observations, walkthroughs of controls can be performed using video conferencing. Most video conferencing tools allow for screen sharing by all parties. For the auditor, having the service organization share their screen virtually to show systems, spreadsheets, and reports can work just as well as being there in person. The auditor can also watch the service organization run reports real time and verify report parameters to validate completeness and accuracy of the documentation provided to the auditor. If you have not used the Windows Snipping Tool, it can be a great aid while performing remote fieldwork. This tool allows you to capture and save a screenshot of anything on your screen.
Sharing files and data securely is still of the utmost importance. There are several online secure file sharing software options that allow service organizations and firms to upload documents securely and provide PBC requests, assignments, and track completion workflow. If you have not used one previously, the need for one has become imperative while performing remote fieldwork. In addition to your remote observations and walkthroughs, the documents uploaded to the file sharing site complete the trifecta of information required to successfully complete a remote SOC audit.
If your organization could benefit from further information or discussion about the impact to your SOC controls as a result of COVID-19 or how to successfully conduct a remote SOC audit, please contact our team at McKonly & Asbury. Our System and Organization Controls group can assist you in designing, implementing, or auditing your company’s SOC controls and testing process. Learn more at: macpas.com/soc.