COVID-19’s impact on SOC reporting has been saved
Perspectives
COVID-19’s impact on SOC reporting
Physical security and manual controls
The impact of the COVID-19 pandemic has been felt around the world, causing organizations, large and small, to rethink their working environments, operations, and the nature of their internal control systems. As service organizations’ post–COVID-19 control environments emerge, the ability to provide for and/or assess physical security measures, and certain manual controls poses a notable challenge for external reporting requirements.
Explore content
- COVID-19’s impact on SOC reporting
- Physical security controls
- Manual controls within control environment operations
- When alternative testing approaches are not an option
- Get in touch
COVID-19’s impact on physical control environments
While the impact of the current pandemic continues to unfold, the most immediate concerns of how to keep employees safe and shift to remote operation have been a high priority; however, service organizations’ ability to meet the needs of their user entities is still part of their core business.
As our “new normal” finds its routine, service organizations are beginning to ask questions like:
- How do these changes affect our control environment?
- How will COVID-19 impact service organization control (SOC) reporting to our user entities?
As the world recovers from the impacts of the pandemic and governmental restrictions, and guidelines continue to influence how we physically interact, service organizations and their auditors need to collectively strategize and collaborate on new approaches to perform and/or test certain operational and physical security controls; the goal is to strike a balance between testing approaches that allow the service organization to continue to achieve its operational and employee safety goals and the service auditor to still opine over the affected control areas.
Download our recent perspective to learn more about COVID-19’s impact on SOC reporting and Deloitte’s COVID-19 considerations from the perspective of service organizations that report on their internal controls under the AICPA Statement on Standards for Attestation Engagements No.18 (SSAE 18) standards specific to SOC 1 and SOC 2 reports.
Physical security controls
SOC reporting of physical security controls in a time of uncertainty brings about new challenges and a need for new approaches. There are several key areas and considerations to keep in mind during this unprecedented time:
Travel restrictions may affect the service auditor’s plans to perform physical observations. As a result, the service auditor may need to use a local team to conduct the observations. Plan ahead with the service auditor to align on what will be required during physical observation tests, so you can determine who from the service organization will be required to attend. Work with the service auditor to share a checklist or detailed instructions sheet with the data center team and their local staff in advance of the observation. Prior to the live interaction, consider internal guidance on physical interactions and workplace screening related to COVID-19 before scheduling live walkthroughs. Limiting travel and confirming if parties involved are symptomatic will maximize your team’s time and safety.
An option to satisfy SOC reporting requirements while eliminating physical interaction may be to allow walkthroughs of the physical location virtually by the service auditor. This approach allows both the auditor and the service organization personnel to safely remain separate by conducting a videoconference where a remote auditor directs the virtual walkthrough over an approved video-conference feed. Consider the technical requirements for conducting virtual walkthroughs, and identify video-conference technology that will be compatible with the service organization and the auditors. Verify that the appropriate attendees have been identified (for example, process and control owners, preparers, or internal audit), invited, and provided with a link required for the selected technology. Request any information expected to assist in facilitating the discussion in advance of the walkthrough so that it is available for review or reference during the walkthrough. As video within data center raised floor space is often prohibited, additional coordination may be required with internal leadership or data center management to make an exception during the pandemic.
If multiple locations (such as separate data centers) are in scope for the control environment, a site sampling approach may be an option. Consider working with the service auditor to determine if a sampling approach for the population of sites, rather than conducting observations for all data center sites in scope, may be a possibility. Factors influencing this decision include whether the service auditor has observed the site locations previously; the commonality of the controls across sites; and whether there were any changes to the controls, services, or operations at the individual locations. If controls are common across sites, be prepared to articulate and evidence how these controls operate in the same manner across locations. Revising the testing approach may allow the service organization to satisfy the reporting requirement to test physical security at in-scope locations while minimizing the resources required to do so.
Although it’s been an option for a long time, some service auditors may have avoided relying on the internal audit function due to the additional requirements and increased risk levels associated with relying on the work of others with SOC reports. However, in the light of COVID-19, the service auditor’s ability to utilize the work of others (such as internal audit) may reduce the requirement for live or virtual physical security testing by individuals outside of the service organization.
In lieu of live observations or a virtual walkthrough, there may be an option to provide alternative evidence to demonstrate a control activity. Certain actions performed by existing service organization workers may be generated to demonstrate the effectiveness of controls in place. For example, previously recorded video clips from the closed-circuit television camera (CCTVs) system, photos, or system logs reviewed by the service organization management may be used by the service auditor as evidence of physical access mechanisms employed at that location, particularly where there is a history of sound physical controls in place at that specific location.
Manual controls within control environment operations
Organizations may have work areas containing sensitive materials that were previously physically restricted, which have now been changed due to “work-from-home” requirements. For service organizations producing SOC 2 reports, criteria to physically restrict access to data does not stop at the data center site and may require that certain floors or units have limited access. Operational areas within SOC 1 reports, such as control over check stock or receipt of confirmation letters, may also experience disruptions in physical security.
Personally identifiable information (PII) relevant for SOC reports may now be retained at employees’ homes, making access controls and environmental safeguards difficult to test at best. Sites and offices may be working with skeleton staffing, limiting their abilities to host visitors to perform physical security assessments. If these controls have moved to employees’ homes, evidencing that physical access to sensitive data may not be feasible. Consider alternative controls that may need to be implemented as detective measures in order to monitor this disruption to normal business, such as additional reconciliations or review of certain systematic activity logs.
When alternative testing approaches are not an option
When alternative testing approaches are not possible, the report and the opinion may be affected. The following considerations provide useful insights to aid in this situation:
- Retroactive monitoring controls: Consider if controls to retroactively “look back” on a control process and detect potential errors may be an option. These monitoring controls could be implemented specifically for the period affected by shifts in control operations from COVID-19 and could help partially or fully mitigate a gap in control processes. These controls tend to operate downstream from other control processes and can often detect multiple potential errors in a control process. New controls created to address relevant report objectives or criteria would need to be described in Section III, and included in Section IV of the SOC report.
- Scope limitation and/or qualification: When the service auditor is unable to obtain sufficient appropriate evidence over the subject matter, a scope limitation exists. This could include, for example, a service auditor’s pandemic-related inability to observe certain physical controls, such as badge access systems, surveillance cameras, and guard stations. If significant enough to a control objective or trust criteria, a scope limitation may be required to be disclosed in the opinion and in management’s assertion.
However, a scope limitation may not necessarily result in a qualification to the opinion if other mitigating or common controls can be tested and found to be effective. For example, as it relates to the physical security control scenario, if the service auditor was able to obtain sufficient evidence from other data center locations in scope to meet the objective or criteria, the limitation of not being able to test a certain site may still allow the auditor to opine that the objectives or criteria were materially met.
Recommendations
Third-party governance and risk management reporting
Principles for optimizing third-party assurance reporting
Revolutionize controls testing
Break the compliance-cycle mold by addressing risks