How COVID-19 impacted the SOC audit landscape, during the pandemic and into the new normal.
COVID-19's effects were felt by every type of organization in 2020, and the impact is still reverberating in 2021. SOC audits allow service providers to demonstrate to their clients the quality of their processes and security controls, yet many businesses had to adjust those strategies due to the pandemic. How did this affect organizations in this situation and how can they address these concerns today?
On May 14, 2020, when US companies were in the thick of the beginning phases of the COVID-19 pandemic, Lauren Atencio, Business Advisory Services Senior Manager at Briggs & Veselka Co., shared detailed insights regarding what service organizations and their clients should expect will impact their SOC audits during and after COVID.
- If you've never had a SOC audit performed, but are looking to have one soon, you can document your ideal processes, policies, and procedures, but be sure to be clear which ones you had pre-COVID; what changes you had to make because of COVID; and what you'd like your processes, policies, and procedures to be post-COVID.
- Revisit your IT risk assessment and controls section, especially if something was deemed low risk in prior years. Because of COVID, those areas might have been exposed to more risk, especially if your organization had employees working remotely or onboarded new employees remotely using a VPN or if anything changed in the way your employees access the network.
- Now is a good time to formally assess – and formally document the assessment of – your control environment. This can become an operational benefit to determine what areas may have been affected by COVID.
- If customers previously communicated their preferences to you in person, now is a good time to start documenting all of that information in writing. Even if we start communicating in person again post-COVID, the best practice will still be to capture all verbal requests and preferences in writing for a stronger SOC audit.
- The same applies to documenting policies and procedures, reports previously reviewed on paper that now are digitally reviewed, meeting documentation (who attended and what was discussed), as well as HR file access approvals and maintenance.
- Document when a certain change went into effect, when you told employees that change was in effect, and on what date (if ever) you had to make any changes to your software to accommodate the operational change that was made. This will ensure your SOC auditor doesn't have to spend time addressing what appear to be exceptions, but actually aren't.
- Also note if this change is temporary (and for how long) or if this is a permanent change because the new approach is better than the previous one.
- While SOC auditors can help you prepare for your audit, including how COVID impacted your organizational controls, it's imperative you prepare your auditors ahead of time so they can efficiently and effectively capture this vital data and correctly incorporate it into your final SOC report.
- Even if you didn't document changes in real-time, you can provide as much documentation and information as possible, including what is available, what isn't available (and why), and what is considered alternate documentation. Do this before your next SOC audit and you should be fine documenting changes after the fact.
[Lauren Atencio, Briggs & Veselka] Hi, everyone, and welcome to SOC Audit Controls and COVID-19. We’ll be talking about maintaining and monitoring the control environments though COVID-19.
I’ll introduce myself. My name is Lauren Atencio and I’m with Briggs & Veselka’s Business Advisory department. I’ve been working on SOC audits for about seven years. And behind the scenes we also have our manager, James Beeler, and partner Sonny Brandtner, also in advisory.
Throughout the next hour, we’ll be talking about different aspects to be considered as you’re evaluating your control environment and the changes that you’ve made to your control environment to accommodate COVID-19.
I will start with who should be concerned and what kinds of organizations should be considering these points. We’ll talk about some examples of areas of your control environment that may be affected by COVID-19 that should be evaluated accordingly. We’ll go into talking about what kind of changes can be made and what you should be considering when determining how you will make operational changes and what aspects of those changes will need to be recorded formally.
We’ll have a bit of discussion on potential impacts on SOC fieldwork and the presentation of your SOC report related to the changes that you’ll be making mid-audit period for your SOC audit. And we’ll talk a little bit about what might come up in discussions with your customers in regard to your SOC audit and some potential concerns they may have about potential interruptions to you operations and how they’ll be reflected in the SOC report.
And finally, we’ll end with something of a roadmap guiding you through what points should be considered now, what should be considered once we go back to normal post-COVID, what should be considered when you are looking at about six to eight weeks out of your next SOC audit fieldwork.
Who Should Be Concerned?
Let’s talk a little bit about who should be concerned and what types of entities should be concerned when considering the impact of COVID-19 on your operational controls. If you’re here listening to me now, you’re likely concerned at some degree, so at least one of these categories [shown on screen] should be relevant to you.
First, we’ll talk about organizations that are already currently receiving annual SOC audits, then we’ll touch a little on service organizations that are planning on doing a SOC audit for the first time in the next six to 12 months, and then we’ll talk a little bit about user entities of SOC audits or people who regularly obtain SOC reports from their own vendors.
For service organizations regularly undergoing an annual SOC audit, of course you’re going to run into changes that occur due to COVID – be they big or small operational changes or moving to work from home – certain processes may no longer be applicable for your newly remote or partially remote workforce, certain areas may no longer be relevant or available. So as these changes occur, identifying which ones are relevant to your self-report and which ones may impact your operational controls is key, as is documentation changes and determining if any documentation previously utilized for SOC audits now is not available, needs to be replaced, or needs to be reconsidered for use in the SOC audit.
The potential for having to bifurcate your process for your SOC audit means you’d basically be talking about your process before COVID and during COVID, and maybe even after COVID. But, really defining where your process is changing and where it’s splitting and where it’s coming back together or where you’re reverting back to your previous process is a key aspect that will ensure that you don’t run into issues when performing fieldwork.
You may run into some of your customers looking at your SOC reports with increased scrutiny. It could be someone who you’ve provided a SOC audit report to for years, but this may be the year that they read it more closely, that they have more questions, or that they come to you and ask you to get more detail.
And finally, you may find that customers who you’ve never given a SOC audit report to before are now asking to see that report, which isn’t necessarily a bad thing, but it could come with additional questions or things that you may have to talk to them about in managing that relationship.
For service organizations that have never had a SOC report, but that are considering having their first SOC report in the six to 12 months to come, you’re in the process now, probably, of documenting your control environment and documenting what things you would want to assert in a SOC 1 or what processes you want to utilize in a SOC 2. And as you’re going through documenting your processes, there’s the consideration of what process would we like to be using and what process are we now having to use because of COVID.
So, you want to make sure that as you’re documenting your ideal processes that you’re keeping in mind that maybe you’re not currently doing those processes because things have changed due to COVID, but eventually you’d like to get back to them. So, it’s kind of keeping that delineation in your mind that will be necessary for the next couple of months.
Same with documenting your policies and procedures – you know, you’re putting down on paper what you plan to have be your policy once we’re back to normal, while at the same time keeping in mind that these things that you’re documenting may not necessarily be in place as of right now, but it’s temporary with changes related to COVID.
With process implementation and employee training, making sure that employees are aware and trained on both how our processes are going to be for the SOC audit for the future going forward and how they are now just to account for COVID is important to consider.
The communication with customers – if you’re planning your SOC audit in response to a request from a customer and they may have different needs, they may be concerned that you may not be able to meet any targets that they may have set prior to COVID, keeping an open line of communication there about what they’re expecting and what you’re able to provide is going to be crucial.
If you’re a user entity that regularly reviews SOC audits, you’re kind of on the other side of obtaining and reviewing that report. Your financial statement auditors are always going to want to request that, they’re going to want to see that you’re able to obtain that, but your review of that report is going to be more important than ever, and documenting your review of that report and asking any questions that you think you need to ask about what may have changed due to COVID, what compensating controls have been implemented due to COVID, etc., you’ll be looking with a little bit more scrutiny on certain areas. There are certain areas that are more likely than others to be affected by COVID. The ones you want to look at a bit closer.
You’ll also focus on both communication with the service organization and with the financial statement auditors because everyone’s timelines may be shifting due to COVID. I know financial statement auditors are looking into some clients that are pushing audits out or their schedules are changing. Keeping track of what your service organization is able to do in terms of providing you with a SOC report and keeping track of what your financial statement auditors’ needs are going to be in terms of obtaining a SOC report is going to be key here.
Examples of Potentially Affected Operational Areas
Here we’ll go into some examples of areas of operation that may be affected. These are of interest for service organizations because these are areas where the SOC report reader would expect to see some kind of change or some kind of compensating control or influence of the period of slow-down or the period of operational change that occurred due to COVID.
The first area is risk assessment. Both SOC 1 and SOC 2 have the IT risk assessment, generally. SOC 2 also goes deeper into risk assessments for your control environment and for fraud. Anything that was low risk before, you’re going to want to look at again and see if it was still low risk if the period of time it’s talking about included COVID and if anything changed in the way that you operate that may have increased risk in IT functions, in the control environment as a whole, or the risk of fraud. We would expect to see some heighted risk categories as a result of the changes that have occurred.
IT controls access to your network. If you have moved to a remote workforce or you’ve had to set new people up on VPN, if you’ve had to set everybody up on VPN, if anything has changed in the way that you have your employees access the network, there is going to be a little bit of enhanced scrutiny on IT controls.
Anything that has to do with your application – if your application is web-based, it may not be as much of an issue, but if you have an application that’s installed and it’s a standalone that has a process involved in the installation and you have to approve a computer to have it installed, if anything about the way that you manage that installation process before COVID has changed for COVID or in the period of time in which your operations have been affected, you’re going to want to document what changed, when it changed, and if it changed back. So, monitoring controls are for both SOC 1 and SOC 2 in regard to changes to application and network access.
If you have a process described for your SOC audit that says that we regularly review who has access to our network or who has access to our application and you have had to add a lot of people in a short period of time to either of those, the testing around that area will be enhanced. If we say that we only review these accesses every six months and we had 10 times the normal number of access granting in a two-month period, you may want to increase the frequency of that review. If there were people who were added and then taken back off once we get through the COVID period, the activity in that area is going to increase, so the number of items that we test in that area is going to increase. The best practice there is to look at it with a little more frequency and a little more scrutiny.
The same goes for security events and adverse event response. Timing is a big factor here. If anywhere in your SOC audit you assert the timing and the speed with which something is addressed or something is performed and that speed standard no longer applies because everyone is working remotely, things are a bit slower, you’re still trying to delegate responsibilities to remote workforce, you want to look at those assertions and say, “Is this still realistic? Was this true for the full audit period? Was there a period of time where this didn’t apply?”
And for the SOC 2, there’s a step where you have to have a formal documented assessment of the control environment. That’s usually one where I have to get creative to find something that counts as a formal assessment of the control environment. But with what’s happened and with the changes that have come with COVID, it’s a good time to actually do that. It’s a good time to assess your control environment formally as an operational benefit as opposed to just satisfying the audit requirement because that’s a good way to get started on determining what areas may have been affected.
With implementation, this usually is a SOC 1-related item. But if you are onboarding new customers and your operational areas have changed, your functions have changed, and you had anything that maybe you’d done in person that you no longer do in person because they don’t want you out there physically, if they had communicated in person any of their preferences or anything that they want done when they’re onboarded, at this point we want to make sure that as much as possible is in writing because testing of this type of thing usually is a little difficult when that kind of thing is done in person or is done verbally with no documentation. So, this actually is an opportunity to improve the way that these processes are documented. Something to keep in mind is anything that we had previously done in person or by popping a head into someone’s office and telling them something, now that we’re not in our offices for the most part, we have to keep a record of that information in some way.
Administrative controls and policies and procedures – the next time a SOC auditor is onsite, they will still look at your policies and procedures and will still want to hold you to your policies and procedures. If your policies and procedures outline processes that for a certain period of time were not applicable, you’re going to want to identify that and communicate it in advance.
Same with manually reviewed reports. If there’s anything that you had been printing off and signing off for, and for a period of time that was no longer possible, so you moved to some kind of digital signoff or some kind of virtual documentation, that’s the kind of thing that you want to document when you moved to that new process and when you moved back, if you did move back.
And same with documentation of meetings that occurred. I don’t have very many clients personally who document meetings on paper anymore, but if you are documenting things on paper and those meetings are now happening virtually, keeping a record of who attended those meetings is key.
And finally, with the HR controls, access to and maintenance of HR files, if HR files were kept on physical paper in someone’s office and you move to having to maintain a digital file just because you didn’t want to take those home or you weren’t able to take those home, that’s something you want to document when you moved to that process and when you move back. Something I frequently see is with HR controls and the approval of granting someone access to the application, sometimes that approval comes over the phone and sometimes that approval comes verbally. Since this an opportunity to move to a more concrete method of documentation, it’s something to consider formalizing into an email or some kind of digital record.
These are some examples of potentially affected areas. Since everybody’s SOC audit is a little bit different, other areas may be affected. This is the kind of thing where as you come across it or as you’re reviewing your controls, if you have a question, I’m available to talk it through.
What to Consider When Making Operational Changes
In the next section, we’re going to talk about what to consider when making these changes. So, say you’ve been doing something one way, COVID happens, now you have to do it a different way and not everything you change is going to be SOC relevant. The best way to determine if it will be SOC relevant starts with identifying what you’re changing, how we did it before, how are we having to do it now due to COVID.
Then look through what SOC assertions you’ve made, look through what objectives you’ve identified. If you’re doing a SOC 1, look through the criteria. For your SOC 2, what processes have we included that incorporate the thing that we changed? If you’re changing the way that a report is reviewed, if anywhere in your SOC audit the review of that report is a pillar supporting the objective, that’s relevant to your SOC audit and it’s something that should be considered.
If you’re someone who has been getting SOC audits every year, it can be helpful to look back and say, “Okay, we’ve identified that this SOC control incorporates this process that we’ve changed. What did we give the auditors last year to test this?”
If you gave me 30 days of records of people attending a meeting and for a period of time in your audit period this year, those meetings were not attended in person and now they’re Zoom meetings, that’s something to keep in mind to communicate to your auditor. You can say, “Okay, for this period of time we did in-person meetings, then COVID happened and for this four-month period of time we did Zoom meetings, and then we went back to doing in-person meetings.”
That’s’ the kind of thing to keep a record of when those changes occurred as precisely as possible and keeping a record of when they reverted back, if they reverted back, or if there was an overlap period where you did both. The key point there is going to be keeping track of when those changed happened and what changed because that’s going to enable your service auditor to bifurcate the testing to say, “Okay, we’re not going to test that you held in-person meetings for the period of time that you told me you didn’t.”
If you’re in the planning stages, if you’re determining if you’re going to have a SOC audit in the next six to 12 months for the first time, identifying what did you plan to use to support this, can you still use this to support this, did you have to have a period of time where you used something else to support this assertion we’ve made, it’s the same idea as the ongoing service organizations. Basically, being aware of when that change happened and when it reverted.
The next thing to consider is documentation on the timing front. The key points of timing are when did we put this change into effect, when did we tell employees that this change was in effect, and did we have to make any changes to our software to accommodate this operational change that we made. All three of those days are going to be relevant to your service auditor when testing and it’s going to help them avoid encountering any kind of technical exception: you didn’t do this stage, oh well, that was one of our COVID effected dates, so we did it a different way that time. It’ll save having to go through that process of clearing what look like exceptions, but actually aren’t.
For policies and procedures, in an ideal world with your procedural documents, having some kind of documented alternate process – your COVID plan, your COVID process, or whatever it is – you have something down on paper that says we used to do it this way for a period of time, but now we’re going to do it this way and we’ll let you know when you can go back to doing it the old way. That would be ideal. But at the very least, for SOC audit purposes, if you go through your procedures that you already have documented and highlight anything that probably wasn’t in effect for the full audit period because that audit period had COVID in the middle of it, you can show that your policy says you do it 100% of the time but couldn’t for that period of time and flag that as something you have an alternate procedure for. This allows us to be aware of what not to look for during certain periods of time.
Replacement support: if your process changed and something went away (e.g., the manual sign-in of a meeting went away), something has to fill its place. There’s a little bit of wiggle room depending upon what the thing is that went away, but the goal should always be if something went away, to replace it (e.g., some kind of documentation to replace it, some kind of record or audit trail, or something to allow alternate testing for that period of time).
This is the kind of thing where your service auditor will be able to help you determine if what you would like to use as an alternate documentation is appropriate or if it’s something that we need to find a better way to replace it.
The last thing to consider when making operational changes are thought points or things to think about as we traverse this COVID event. When we change something, how long will it be changed for and do we have a target date that we’re going to change it back, is it until further notice, or this is the way things are done now? Is the thing we changed to better than what we had before? Have we determined that even once COVID has passed we’re going to keep doing it this way because it ended up being better? So, for anything that you change in your operational areas, be thinking if this is going to be permanent or is this going to change back and when it is going to change back.
Once you’ve identified something that you’ve changed that impacts SOC, also be thinking about important of a SOC point this is. If you’re doing a SOC 1, you have an objective that is supported by one assertion and that one assertion is that you have manual meeting minutes that are signed by all attendees. If you no longer have those manual meeting minutes, you’re definitely going to need something to replace them because otherwise that objective has nothing to support it.
If the process that you’ve changed is one of eight assertions that support a single objective, it’s a little bit less urgent that it be replaced and that it’s thoroughly documented. But of course, we don’t want to lose any process assertions if we can avoid it.
In the SOC 2 area, it’s a little more concrete on what you need to be doing, so alternate procedures are of exceeding importance in the SOC 2.
And be considering any process that you’ve changed. If we have a complementary user entity control – basically if we had said something that our customers need to be doing to make sure that our controls as the service organization work and you change the process to something new that they need to be doing on their end, if it’s a process that involves customer information or feedback (i.e., anything that the customer touches/takes action on their end) and we need them to be doing something extra to make sure our new COVID process works, we need to be thinking about putting that into our report the next time around.
Changes to SOC Fieldwork and Report
When it comes to field work and your report, there may be a few things that are a little bit different. But the goal of having webinars like this and the goal of communicating with your service auditor is to have as few interruptions and changes as possible.
Some potential changes to field work: probably the most important one is communication. We want to be identifying where things changed, where things diverged, where they came back together, where we went back to old processes, and if we went back to old processes. Documenting these things on your end and being able to provide your service auditor with a list of things that changed and when they changed back is going to be key to making sure that your SOC audit field work doesn’t drag out.
For service organizations, if we change a process and documentation for this new temporary process is different than it was for the old one, testing to make sure it’s actually retained and available. You can communicate to your employees, “Okay, we’re doing things this way now.” You’re going to want to keep those emails, Zoom logs, and audit records and test periodically to make sure they’re actually keeping these things or make sure it’s possible to easily keep these things is going to be key in making sure that we don’t run into any exceptions when we try to test your new processes for that temporary period of time.
In advance of field work, if anything has changed that requires alternate testing, your service auditor is going to pitch to you how they’d like to test the COVID period. Giving your feedback on that testing is going to be key to making sure that they’re not having to devise alternate testing on the fly.
In regard to the SOC report, the description of the system is a key portion of it. The description is at the front of the report and describes how your system operated for the full audit period. Incorporated into that description of the system is going to be any alternate procedures you put into place temporarily or permanently during COVID. It’s going to have to cover both how we did it before, how we did it during, and how we did it after. This portion of the audit report technically is the responsibility of the service organizations.
As service auditors, we do what we can to assist you along the way, but if you’re not looking at it ahead of time, it’s going to drag out a little bit in the report-generation process.
The same applies with the split testing procedures, your report may reflect testing procedures for a portion of the audit period and then beneath that might reflect testing procedures for the COVID-affected portion. Then it may go back, or it may not. We may include both pre-COVID and post-COVID procedures in one section and then COVID procedures in a second section. Either way, it’s going to be split out in the records of testing and your audit report to ensure that the reader (your customer) is aware that you have addressed the full period of time and that you didn’t just let the COVID-affected period fall into a black hole and not address it in your SOC report.
Another point to consider for specifically SOC 1 audits is the potential consolidation of objectives. If you have an objective area that you’ve identified that you only supported with one or two assertions and that objective can be incorporated into another objective to bulk up another small objective (as opposed to leaving a single objective under-supported), now is a good time to consider those consolidations because we are at increased risk of testing due to how up-in-the-air some things are with COVID.
Likely Customer Concerns About COVID’s Impact on Your SOC Audit
Let’s talk a little bit about potential questions your customers may have about your SOC audit and COVID and any concerns they may have.
They may ask about gaps in the audit period. Everything here timing-wise is something we’re going to do everything we can to avoid. We’re not going to have any gaps in the audit period, we’re going to cover everything, but we’re just going to have to do a little bit of extra work to make sure everything is covered. We’re going to avoid having any delay in delivering the SOC audit. If everything we talked about in the fieldwork and report area is covered, we shouldn’t see any delays in delivering.
Coverage-wise, they may be concerned about you excluding certain areas that maybe weren’t operational in the way you usually define it. They may be worried that you just skip that area rather than re-describing your process that’s COVID-affected. You can tell them you’re not going to do that; you’re going to cover everything and you’re not going to skip anything. They may be worried about your description of the system not being accurate and you can tell them, “No, we’re reviewing our description in the system and it’s going to be accurate. Everything in there is going to be described for both pre- and post-COVID.”
They may be worried about the testing not being covered completely. They may be worried that your auditor will skimp a little bit on the testing to account for COVID. If I’m your auditor, I can tell you no, I won’t, and any auditor probably won’t either.
Technical exceptions are what come up when you’ve asserted that your process is a certain way and we tested it and it wasn’t that way, but the problem was not that your process was bad, the problem was that you asserted wrong and it was significantly wrong. We’re going to do everything we can to avoid those, but technical exceptions are the easiest ones to explain away in the back of the report when you’re responding. You may see an increase in technical exceptions for the COVID-affected period was lacking, but you do have a better excuse this time around.
They may be worried about your auditor going easy on reporting exceptions. Again, this probably won’t happen, but you can let them know that your auditor has every intention of identifying exceptions and reporting exceptions fully as they always would. They may also be worried about you not taking those exceptions seriously. Of course, you know everything that’s reported in the SOC report is something that should be responded to and generally is.
These are things that you can be prepared to have an answer for and can consider should your customer ask.
Roadmap to Remaining SOC Solid Through COVID-19
We’ll wrap up here with something that I’m going to call a map. It’s meant to be a guide through what you should be considering now, what you should be considering as you approach “back to normal” status, and what you should be considering before your next SOC audit.
- Identifying and documenting the process changes: if something changed, what changed, when did we change it, is this change relevant to our SOC audit.
- Identifying temporary changes: when we moved to our COVID “normal”, did any documentation go away, did anything that we were documenting before become unavailable, when did it become unavailable, and what did we put in place to replace it.
- Communication with employees, especially the employees who are responsible for ensuring that this documentation retained is crucial. Making sure that your employees are aware of when the process officially changed, what they are officially asked to do for the COVID-affected period, and when they no longer have to do that. Also, giving them a good understanding of what they need to be retaining (e.g., if there’s a shared drive, where they need to be retaining information and how long they need to be retaining it for).
Back to Normal
- As you approach back to normal, as you’re getting back to operating out of your offices again, as you’re getting back to how you operated prior to COVID, be thinking about what things changed that might be better than before and if you plan on reverting back to pre-COVID processes or keeping the ones that were put in place in response to COVID.
- If you’re reverting back to pre-COVID processes, determine if you’ll have a cut-off date and say that everybody goes back to doing it this way, will you phase it out slowly, will there be a period of time where you’ll be doing both COVID procedure and non-COVID procedure. Considering that and documenting your decisions will be key to keeping your processes clear for SOC testing.
- Do a spot check on documentation that you may have implemented strictly in response to COVID to make sure that things were retained. When you’re telling your auditor you did things a certain way for COVID, you’re making sure documentation will be available and testable.
- Optional at this point is to give your clients or customers who you normally provide a SOC audit to an update saying you’ve been addressing these things, retaining documentation, and that you don’t anticipate any kind of interruption in the SOC procedures.
6-8 Weeks Before Your Next SOC Audit
- Before your next SOC audit, if you have already been doing SOC audits, we touched on the description of the system and giving yourself a good amount of time to read through that and identify anything that changed or may not have been strictly true for the full audit period, which will be very beneficial. You don’t want to be trying to do this two days before we come out for fieldwork because it’s going to take more time and it’s better to keep track of it over time. Reviewing what you planned to assert as your description of the system is a key preparation for your next SOC audit.
- Same for the complementary user entity control considerations. Again, that’s the list of things you are telling your customers they need to be doing to make sure your controls are operational. Scanning through that and looking for anything that maybe you need to add because you changed your processes or anything that maybe you’re aware that your customers may not have been able to do because they had changes in their processes.
- It’s not really your responsibility to make sure that they’re compliant, so this section is basically a caveat that if they don’t do their job, they can’t assume that your controls are all 100% operational and effective. This is something to consider since more information is better in that section so you can make sure that clients/customers know they have to do their part.
- Six to eight weeks before your SOC audit is around the time when your service auditor may be reaching out to you and saying, “Okay, we know that some of your areas may have been affected by COVID, so can you tell us what you changed and when you changed it?” At that point, the service auditor would be devising alternate procedures for you for what changed, so giving feedback on those alternate procedures will be incredibly helpful in ensuring they can prepare for your fieldwork and that they’re testing the right things.
If anyone has questions that you’d like to ask through the Zoom Q&A, I will look back through there now and see if there’s anything.
[James Beeler, Briggs & Veselka] Lauren, there are a couple of questions, one of which I may have answered in chat, but which probably most of the people may be wondering. If you want to address it, someone was asking about the cost of SOC audits and whether we would anticipate that these alternate procedures they’re having to do because of COVID and work from home, etc., do we anticipate that to result in increased fees for performing SOC audits?
[Lauren] That’s definitely a relevant question. It’s going to depend on the degree to which your process has changed. If enough process needs to be bifurcated and dual testing procedures are applied, it’s possible it may affect the price just due to the increased amount of work that needs to be done on our end. But we will always balance the number of items tested to ensure full coverage (i.e., statistical significance) in each of these areas.
We do weight them based on the period as well. If you have a 12-month audit period and your COVID procedures were in place for four months and your regular procedures were in place for eight months, we will weight what we test accordingly and try to do the same amount of testing that we would have done if the non-COVID process had been in place for the full 12 months.
So, we do what we can to try to minimize what we would need to add to our fee in that regard, but I don’t see if being anything significant unless everything changed significantly for COVID and you decided not to change it back. Then there would be a lot of work to be done.
[James] That’s a good point in that it’s not necessarily the testing that’s going to result in the increased fees; it’s going to be analyzing the changes and documenting that in the description. To the extent that the client can be aware of that and be involved in that on their own and not necessarily rely on their SOC auditor, then that can help keep the fees down.
[Lauren] Anything that you can do in advance and provide to me that I would have had to do otherwise is going to bring a fee down.
[James] There is one other question that seems very applicable to the topic, but it’s from the other side. The question is: can a SOC audit be done 100% remote?
[Lauren] That’s a good question, and it always depends. There are certain aspects of SOC audits, in particular SOC 1 audits, that sometimes are heavily observation-based because certain processes are asserting to the way that things operate that might not have physical or documented record of.
We are very good at brainstorming alternate procedures and your service auditor will always be willing to talk to you about potential alternate procedures to document a process that you definitely want in your SOC report. If after that back-and-forth, there are certain things that you want to assert that we cannot do any way other than physically observing, it may require limited onsite procedures.
From what we’ve seen so far, we’ve actually had pretty good experiences with remote SOC audits. We’ve done about a few 100% remote in the time since COVID hit. The key to those being successful is documentation in advance and communication in advance. Basically, if you’re prepared to provide items well in advance, yes it can be done.
If it’s the kind of thing where items are only provided once we’re onsite, then it would be less possible and may result in an extension of fieldwork beyond the week intended.
It’s not a terribly concrete answer, and the answer is “it depends”, but the communication in advance of fieldwork is going to be what determines if it can be done.
[James] There’s actually another question that came in that kind of ties in with a couple of questions together. The question is: will COVID-19 make a difference if I need a SOC 1 or a SOC 2? That falls in line with an earlier question where someone wanted an explanation as to the difference between a SOC 1 and SOC 2, so that leads into the COVID effect on whether you need a SOC 1 or not.
It probably doesn’t make a difference, but if you give a detail of the difference between SOC 1 and 2, maybe that’ll help answer both questions.
[Lauren] In general, a SOC 1 is an evaluation of the controls at an organization that, if they were to fail, have potential to cause a material misstatement to the financial statements of that entity’s customers. So, in theory, anything in a SOC 1 audit should have a trickle-down effect or potential effect on their customers’ financial statements.
A SOC 2 is more tech based. It’s based around a set of established criteria (e.g., security, availability, confidentiality, processing integrity, and privacy). These criteria are set in stone and are concrete. The processes that support them generally are tech related and based on report output from systems in use.
While they are very different, it usually boils down to who is asking for your SOC report. If you have a customer whose financial statement auditor is asking for your SOC report, they want a SOC 1, and it’s in your best interest to get a SOC 1 because their financial statement auditor will not take a SOC 2.
If it’s a matter of remaining competitive or wanting to be able to assert your SOC controls around tech – and it’s not strictly to satisfy an auditor – a SOC 2 is the direction you go.
I don’t see COVID affecting whether you go from a SOC 1 to a SOC 2 because nobody’s financial statement auditor is going to change their standards of what they want.
Having a SOC 2 to address concerns about COVID – if you’re not getting one currently and maybe you want to underline the fact that you had controls in place in compliance with the established criteria standards for a SOC 2, it’s a good time to get one because your customers and potential customers are going to have increased levels of concern now that they’ve seen how a pandemic goes down and they’ve seen how things can change.
[James] We did have another question that just came in. Is documenting a change after the fact acceptable? Can we make the control change and then go back later and document how and why documentation would be later? All of these would seem to not necessarily violate change management controls, so I guess you may want to talk about going back and documenting a change after the fact.
[Lauren] If something changed for COVID and you had everybody start doing something differently because everything changed on the fly and you wanted to minimize service interruption or interruption to your processes, going back after the fact and writing down when you changed it and what you changed, from just getting it down on paper and giving it to the auditor perspective, you can do that whenever as long as you know when that change happened and what you changed.
In terms of documenting formal procedures, if everything changed for the four months of COVID and then once you get back to normal day-to-day operations you then document formal procedures for how to handle COVID, it will be less valuable to your SOC auditor. But the most important thing is the timing: knowing when you change things, what you changed, when you changed back.
In terms of keeping your employees up to date, getting those formal COVID procedures or changes documented and distributed would be nice.
But for your audit, as long as you’re able to communicate to us with reasonable accuracy what you changed, when you changed it, when you changed back, and any documentation that was available (or not available) or alternate documentation that may be available, communicate that to us before your next SOC audit and you should be fine.
[James] We have another question about sub-service organizations. What would need to be done if a sub-service organization does not implement adequate controls?
[Lauren] There’s a varying degree of depth that your assessment of your sub-service organization can have. If there’s not a lot of competitors, basically the only responsibility that you as the service organization are going to have is to document that you assessed your sub-service organization and you either found them lacking or that you found them appropriate.
I definitely would say that giving a little bit more of an enhanced review of your sub-service organizations than you normally do is warranted given COVID. But the SOC guidance doesn’t hold you to any requirement other than to periodically assess them.
If you assessed them and determined that everything was terrible, they’re not going to ask why you haven’t fired them. They just want to know that you are aware that they’re terrible (if they are, in fact, terrible). So, getting down on paper that you assessed them, and if you found certain control areas were not effectively implemented through COVID, that you’ve noted it and are considering in your vendor assessment of them and your assessment of their competitors.
But from what’s required of you per the SOC guidance is just that you assess them and that the people involved in the assessment have the knowledge and authority to ensure that if any action needs to be taken on your end, that it’s taken.
[James] That would be for a sub-service organization that you’re carving out?
[Lauren] Right. If it’s a sub-service organization that you have incorporated your own controls, there’s definitely going to be more of a discussion to be had there. This would fall into the same vein as talking to your service auditor about potential alternate procedures for things. If you’ve incorporated a sub-service organization into your controls and you found that they have not been implementing their controls as stated, you’re going to want to do what you can to work around their failures and ensure that anything you have relied upon them for has a backup or fail-safe or some other process that you’ve implemented to ensure a failure won’t be passed on to your customers.
That’s definitely something you’re going to want to reach out to your service auditor about as soon as you become aware of any lacking in your sub-service organization so you can talk through it and make sure that you’re going to be fully covered.
Okay, that’s all the questions we seem to have. If anyone else has other questions or if you think of something after the fact that you want to ask me about, you’re welcome to email me at firstname.lastname@example.org at any time or give me a call at 713-353-1928.
As you’re documenting processes and getting back to normal or finding a new normal, if you have concerns about how your SOC audit or potential SOC audit may be affected, it’s always best to ask as soon as you think of it because we may be able to give you helpful hints. That’s the goal is to minimize interruption to your operations and not add work to anybody’s plate if we can help it. Addressing those things as they crop up rather than trying to address them all at once before you get your SOC audit will make things easier for everybody.
I appreciate everybody for tuning in. Thanks!