SOC 2 Controls: Handling Changes to the Controls and Environment During the Reporting Period
A SOC 2 audit report is an attestation report on controls at a service organization relevant to the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are the established industry standard for assessing and evaluating a service organization’s internal controls and, therefore, a necessity for companies to manage the risk that comes with using service organizations. Service Organization SOC 2 controls constantly evolve as they mature and develop their information security practices. An important part of the maturation process for service organizations is understanding how changes impact the internal controls and SOC 2 report.
Evaluating the Impact of the Changes
Changes to the SOC 2 internal controls at any service organization require adequate planning and analysis to ensure the changes do not adversely impact the organization’s ability to meet its security requirements to customers. The first step in implementing any changes to the SOC 2 internal controls or control environment is performing a risk assessment to evaluate the risks and related impact of the changes being considered. The analysis should specifically assess whether changes to the controls or environment will adversely affect the organization’s ability to mitigate the risks relevant to the Trust Services Criteria. Appropriately performing this assessment will allow the organization to identify whether the proposed changes to the controls are sufficient to achieve the organization’s risk profile and meet the SOC 2 Trust Services Criteria. As a result of the assessment, the service organization may deem it necessary to implement additional processes or controls to appropriately meet the Trust Services Criteria impacted by the change. Completing the risk assessment and evaluating the impact of the changes as they relate to the Trust Services Criteria cannot be overstated, as they ensure that any control or control environment changes have been evaluated before implementation to ensure they will not adversely impact the SOC 2 audit report.
Presenting the Changes in the SOC 2 Report
Service organizations that have implemented control or control environment changes during the SOC 2 reporting period will need to appropriately present the impact of the changes in the SOC 2 report. Any changes that impact the control environment or the controls of a service organization will need to be presented in both the service organization’s description of controls as well as the description of tests of controls.
Changes Presented in the Description of Controls
The description of controls in SOC 2 represents the service organization narrative of the processes and key controls relevant to the SOC 2 Trust Services Criteria. This description provides the users of the report with a detailed description of the scope of the SOC 2, as well as processes and controls relevant to each applicable trust services criteria. In the event of changes during the period, it is important that the service organization appropriately describes the internal controls and processes that were operating before the change, adequately describes the nature of the changes, and defines the new processes and controls operating in the environment. The description of controls prepared by the service organization needs to provide specific dates that outline the processes before and after the changes were implemented. The presentation will provide the user of the SOC 2 report with adequate detail to fully understand the nature and timing of the changes that occurred.
Changes Presented in the Description of the Tests of Controls
In addition to the description of controls, any changes to controls are also presented in the description of the tests of controls within the SOC 2 report. The description of the tests of the controls in the SOC 2 report presents the organization’s key controls, the auditor’s test procedures, and the results of the tests. It is important to note that, though the SOC 2 auditor prepares the test procedures and results, the key controls are prepared by the service organization. Changes to controls occurring during the reporting period may result in modifications being made to the key controls being tested in the SOC 2 report. The service organization will need to identify the period of operation for each control that was impacted by any change to the environment in this section of the report. Controls that were operating before the implementation of the change should include the dates that the control began and ceased to operate. Additionally, any new controls that were implemented as part of the implementation should also include the date the new controls were operating. Delineating the dates controls ceased and dates new controls were implemented allows the users of the report to evaluate the impact of the changes and review testing procedures and results of the test provided by the SOC 2 auditors; this allows users to also verify the controls before the change and the controls after the implementation were operating as anticipated.
Before making any changes to your SOC 2 controls, consider having a consultation with McKonly & Asbury to determine the best approach based upon your organization’s needs. For more information, be sure to visit our System and Organization Controls (SOC) service page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding SOC 2 reports and our services.
About the Author
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more