COVID-19’s impact on SOC reporting has been saved
Perspectives
COVID-19’s impact on SOC reporting
Physical security and manual controls
The impact of the COVID-19 pandemic has been felt around the world, causing organizations, large and small, to rethink their working environments, operations, and the nature of their internal control systems. As service organizations’ post–COVID-19 control environments emerge, the ability to provide for and/or assess physical security measures, and certain manual controls poses a notable challenge for external reporting requirements.
Explore content
- COVID-19’s impact on SOC reporting
- Physical security controls
- Manual controls within control environment operations
- When alternative testing approaches are not an option
- Get in touch
COVID-19’s impact on physical control environments
While the impact of the current pandemic continues to unfold, the most immediate concerns of how to keep employees safe and shift to remote operation have been a high priority; however, service organizations’ ability to meet the needs of their user entities is still part of their core business.
As our “new normal” finds its routine, service organizations are beginning to ask questions like:
- How do these changes affect our control environment?
- How will COVID-19 impact service organization control (SOC) reporting to our user entities?
As the world recovers from the impacts of the pandemic and governmental restrictions, and guidelines continue to influence how we physically interact, service organizations and their auditors need to collectively strategize and collaborate on new approaches to perform and/or test certain operational and physical security controls; the goal is to strike a balance between testing approaches that allow the service organization to continue to achieve its operational and employee safety goals and the service auditor to still opine over the affected control areas.
Download our recent perspective to learn more about COVID-19’s impact on SOC reporting and Deloitte’s COVID-19 considerations from the perspective of service organizations that report on their internal controls under the AICPA Statement on Standards for Attestation Engagements No.18 (SSAE 18) standards specific to SOC 1 and SOC 2 reports.
Physical security controls
SOC reporting of physical security controls in a time of uncertainty brings about new challenges and a need for new approaches. There are several key areas and considerations to keep in mind during this unprecedented time:
Manual controls within control environment operations
Organizations may have work areas containing sensitive materials that were previously physically restricted, which have now been changed due to “work-from-home” requirements. For service organizations producing SOC 2 reports, criteria to physically restrict access to data does not stop at the data center site and may require that certain floors or units have limited access. Operational areas within SOC 1 reports, such as control over check stock or receipt of confirmation letters, may also experience disruptions in physical security.
Personally identifiable information (PII) relevant for SOC reports may now be retained at employees’ homes, making access controls and environmental safeguards difficult to test at best. Sites and offices may be working with skeleton staffing, limiting their abilities to host visitors to perform physical security assessments. If these controls have moved to employees’ homes, evidencing that physical access to sensitive data may not be feasible. Consider alternative controls that may need to be implemented as detective measures in order to monitor this disruption to normal business, such as additional reconciliations or review of certain systematic activity logs.
When alternative testing approaches are not an option
When alternative testing approaches are not possible, the report and the opinion may be affected. The following considerations provide useful insights to aid in this situation:
- Retroactive monitoring controls: Consider if controls to retroactively “look back” on a control process and detect potential errors may be an option. These monitoring controls could be implemented specifically for the period affected by shifts in control operations from COVID-19 and could help partially or fully mitigate a gap in control processes. These controls tend to operate downstream from other control processes and can often detect multiple potential errors in a control process. New controls created to address relevant report objectives or criteria would need to be described in Section III, and included in Section IV of the SOC report.
- Scope limitation and/or qualification: When the service auditor is unable to obtain sufficient appropriate evidence over the subject matter, a scope limitation exists. This could include, for example, a service auditor’s pandemic-related inability to observe certain physical controls, such as badge access systems, surveillance cameras, and guard stations. If significant enough to a control objective or trust criteria, a scope limitation may be required to be disclosed in the opinion and in management’s assertion.
However, a scope limitation may not necessarily result in a qualification to the opinion if other mitigating or common controls can be tested and found to be effective. For example, as it relates to the physical security control scenario, if the service auditor was able to obtain sufficient evidence from other data center locations in scope to meet the objective or criteria, the limitation of not being able to test a certain site may still allow the auditor to opine that the objectives or criteria were materially met.
Recommendations
Third-party governance and risk management reporting
Principles for optimizing third-party assurance reporting
Revolutionize controls testing
Break the compliance-cycle mold by addressing risks