In January 2020, many organizations began a new year with a strong outlook on the next twelve months and a low priority for reassessing the effectiveness of their internal controls. Given that many System and Organization Controls (SOC) examination reporting periods are underway, the COVID-19 pandemic could result in a significant impact on the design and operating effectiveness of controls.
With the evolution of COVID-19 and potential impacts to an organization’s control environment, now is the time to assess impacts and begin to take action. Maintaining and supporting controls requires three distinct elements: ownership, execution and evidence.
In the COVID-19 environment, control ownership can be challenging as cohesive teams are no longer physically working together to maintain controls. Assignment of controls to individuals safeguards accountability of the control environment and allows SOC stakeholders the opportunity to connect with a single point of contact for ongoing updates. In the event service organizations undergo furloughs as a result of the pandemic, reassignment of control ownership should be a top priority to make certain controls are properly maintained. Teams are encouraged to hold more frequent internal meetings to increase accountability and effectively communicate expectations. It is imperative that controls maintain an effective owner during the examination period so that each control is assigned and appropriate evidence is retained.
As many service organizations transition to remote work, control execution is now more critical than ever. Service organizations should evaluate the frequency of controls so that they are maintained properly during the COVID-19 pandemic. Utilizing control owners as identification points can help organizations maintain frequent controls on a regular basis. This requires individuals to include performance as part of daily task assignments. Upon identification of controls that can no longer be maintained as a result of COVID-19, service organizations may consider the following:
- Modification of control language to reflect the control environment during the reporting period;
- Modification of the examination period if controls are deemed ineffective as a result of COVID-19; and,
- Disclosure of COVID-19 impact to the system and controls to users of the report.
Within SOC reports, Section Five’s “Other Information” may be utilized to communicate unaudited information that provides additional background for the reader. Below are items to consider within Section Five of 2020 SOC reports.
- Business continuity declarations
- Changes to personnel or functions
- Shifting of reporting lines
- Alterations of system access and processes to accommodate work from home environments
- Uncertainty in future changes
Retaining evidence throughout the COVID-19 pandemic requires careful consideration of control owners and control maintenance. Since it is unknown how long the pandemic will last, maintaining documentation that supports the effectiveness of controls is imperative. Control owners must develop a strategy to isolate those controls that perform on a regular basis and confirm that supporting evidence is retained. A central repository should be established to allow control owners to efficiently store evidence.
DHG recognizes the challenges that COVID-19 poses for service organizations. While the impact of the pandemic is still unknown, there are steps that can be taken now to reduce the impact on future control reporting. When control owners maintain controls and retain appropriate evidence, service organizations can be better positioned to assess the design and effectiveness of such controls during future examinations.
About DHG IT Advisory
DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business.