COVID-19’s Impact on SOC Reports
COVID-19 has disrupted businesses of all sizes and in every industry in ways that were unimaginable even six months ago. From rapid shifts in the customer experience to forced evolution of internal processes and procedures, no operational area has gone unscathed. Service organizations with System and Organization Controls (SOC) examinations should pay particularly close attention to the way these changes affect data security and internal controls. A reduced workforce, newly remote workforce, and revised customer service protocols all increase security risks.
Preparing for a SOC Exam When Risks and Controls May Have Changed
Because service organizations are doing business differently, they need to prepare differently. Factors to consider when planning for a SOC exam in this new status quo:
- Maintain open communication with the auditors. Although attestation standards have not changed as a result of COVID-19, the way a SOC examination is conducted has. In many cases, SOC examinations are being performed remotely. This means companies and their auditors must work together to define how it will be conducted in a remote-friendly environment. To ensure realistic expectations are set and no surprises arise along the way, clear, ongoing communication is critical.
- Don’t skip the risk assessment. The risk assessment is vital in preparing for a SOC examination. This pre-exam planning exercise requires management to review its system, controls, and changes to the landscape to identify any potential new risk areas. A thorough assessment will uncover potential risks to your environment caused by COVID-19, such as a change in critical vendors, reduction or increase in workforce, a newly remote workforce, or growth in a new product or service line.
- Evaluate all internal controls and management’s description. It’s important before the examination that companies review their full control set as well as management’s description to determine if any controls were modified or broken as a result of changing the way business is done. In the event a key control that satisfied a risk is broken, an organization should then also perform an evaluation of the complementary controls that are already in place or that can be enacted to address the risk.
Top Information Security Areas to Re-evaluate in a COVID-19 World
While companies should regularly assess their security landscape regardless of a pandemic, the following areas should be re-evaluated prior to starting your next SOC examination:
- Vendor Management – Many businesses’ relationships with vendors have been altered due to the pandemic, such as offloading more operational responsibilities to these third parties. It’s important to periodically monitor the information being provided to vendors as well as their criticality to your ability to meet service commitments and system requirements.
- Reviewing and Updating Key Policies – Continually reviewing and updating internal policy documents is an important exercise. These documents should clearly communicate roles and responsibilities among employees and provide direction on meeting various risk criteria.
- Updated Information Security Risk Assessment – The overall purpose of the pre-exam risk assessment is to ensure any new or existing vulnerabilities are properly identified, mitigated, or accepted by your management team. If a company has performed a risk assessment pre-pandemic, performing an updated information security assessment with a global pandemic as a risk criterion should be top-of-mind.
- Logical Security Measures
- Ensuring employees have appropriate access to sensitive functions and data – given any changes to headcount or modified roles – is an exercise that should be performed, most commonly via a periodic user access review.
- Monitoring the existing user provisioning controls is critical to identifying any issues of noncompliance.
- Employees accessing corporate systems on their home network while working remotely creates added risks. The need for multi-factor authentication is more important now than ever.
- Vulnerability Management – Continuing to perform periodic vulnerability scans, penetration tests, and patch-management procedures in a remote environment can add an additional layer of security.
- Incident Response and Disaster Recovery – How, who, and when service organizations respond to incidents and disasters likely will look and feel different in a remote situation versus a full team working alongside one another in the same room. Ensuring your organization’s incident response plans and disaster recovery plans are updated and actionable is extremely important.
- Security Awareness – Identified security threats and reported incidents of employee phishing schemes are more prevalent than ever. As noted in the Verizon Business 2020 Data Breach Investigations Report (2020 DBIR), credential theft and social attacks such as phishing and business email compromises account for 67% of breaches. It’s important to ensure employees have the training and tools necessary to keep company and customer data safe and secure.
If your organization has an upcoming SOC examination, it is imperative to discuss these issues with your auditor. For more information on SOC reports, contact your KSM advisor or complete this form.
We're Looking for
At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.