Compliance
The Impact of Covid-19 on SOC Reporting
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.
The audit cycle for organizations that receive SOC reports includes new challenges related to Covid-19. Remote workforces are now the norm throughout the world, which introduces new risks. For example, connecting to corporate networks using personal computers that may be infected with malware is one such risk. Additionally, hackers and fraudsters have stepped up their game and increased the frequency and sophistication of their attacks to take advantage of the vulnerabilities that come with a remote workforce. Many organizations have suffered economically due to Covid-19 with workforce reductions to help reduce costs. However, this could result in a failure to re-assign control responsibilities and a corresponding failure to perform certain controls.
During the pandemic, there is expected to be a higher frequency of control deficiencies noted in SOC reports and a corresponding increase in the number of qualified opinions that are issued by service auditors. But there are practical steps that service organizations can take to minimize the impact of Covid-19 on their SOC report and reduce the risk of security incidents and cyber-attacks. In this blog post, we will explore various strategies to accomplish this.
10 steps to improve security, minimize risk, and reduce exceptions in SOC reports during the pandemic
- Keep software up to date. Keep your security software, web browser, and operating system updated to the latest version. Updates help prevent patch security holes that cybercriminals could exploit to access confidential data or infect your devices with malicious software.
- Encrypt devices. If there is sensitive confidential data on employee devices, including laptops, tablets, smartphones, flash drives and other removable storage devices, consider encrypting those files. This is more important with a remote workforce where the storage of confidential data on employee devices is more common than in the traditional work environment. Hackers understand the vulnerabilities of a remote workforce and are exploiting these vulnerabilities more than ever.
- Use multifactor identification. With a remote workforce, multifactor identification plays a major role in preventing cybercriminals from accessing data and employee accounts. Take the extra security step to enable multifactor authentication on any account that requires login credentials.
- Secure routers. Routers typically come with a default password, and cybercriminals might already know what it is — meaning your network would be at risk. Change the password on your router to something a cybercriminal would be unlikely to guess (see password guidance below.)
- Use strong encryption. There are different types of encryption. Make sure your router offers WPA2 or WPA3 encryption. Both are strong forms of security. Encryption protects information sent over your network so it cannot be read by outsiders.
- Use strong passwords. Make your passwords strong and unique. A strong password contains at least 12 characters, including letters, numbers, and special symbols. Avoid using the same password on more than one account.
- Review and communicate data security policies and practices. Review and update data security policies to ensure they are compatible with a remote work setup. Communicate data security policies to your employees and send frequent reminders regarding data-security best practices while working from home.
- Limit access to protected and confidential information. Consider restricting employee access to confidential and protected information on a role-specific basis to ensure employees have access to only the information needed to complete their specific duties.
- Use virtual private networks (VPNs). Organizations should enforce VPN connections to access company assets. This provides an additional layer of protection for confidential data.
- Be mindful of Covid-related scams and phishing emails. Remind employees to be diligent in their review of emails prior to opening links or attachments, and to report phishing attempts as soon as possible once discovered. Controls such as annual penetration testing are more important than ever to help gauge the security awareness (including susceptibility to phishing emails) of employees.
Examples of controls that may be impacted by Covid-19
Background checks
Most SOC reports include the following control: Background checks are performed on all job candidates, and employment with the organization is contingent upon a clean background check report. Traditionally, it was assumed that background checks were completed prior to the start of employment and service auditors generally test for this. Prior to Covid-19, a comprehensive background check took between three and ten days to complete. Currently, it may take a month or more because records are harder to access by a remote workforce. Companies risk losing good candidates if they delay job offers until after background checks are completed. From a SOC reporting perspective, we advise organizations that face this issue to temporarily change the wording of their control to: Background checks are initiated prior to the start of employment. However, if there are delays with the completion of background checks, employees may be onboarded prior to the receipt of the report. Permanent employment is contingent upon a clean background check.
Risk assessments
One of the entity-level control activities in a SOC 1 and SOC 2 report is the risk assessment process, which includes the identification of, and response to, evolving threats and risks. Working remotely changes routine business processes and these changes may “break” some of the built-in controls in those processes. Additionally, threats and risks to information technology general controls (SOC 1), and to the security, availability, confidentiality, processing integrity and privacy of systems and related customer data (SOC 2), are also likely to change, which all need to be reflected in the current risk assessment process.
Service organizations should review their risk assessment process to determine if Covid-19 has led to changes to the scope of the system, introduced new risks to the achievement of objectives or criteria, and ensured the organization has properly addressed the changes and new risks.
For SOC 1, the overall risk assessment should include Covid-19 considerations and determine whether any objectives, risks and/or controls have been impacted. For SOC 2, additional consideration should be given to the in-scope criteria and impact of Covid-19 on security, availability, processing integrity, confidentiality and/or privacy. Service organizations will need to assess whether there are new risks associated with an increase in remote workers. For example, should multifactor authentication or additional security measures be put in place to mitigate the new risk?
Whether organizations have been impacted or not, Covid-19 may cause risks that should be addressed by all organizations. Some further considerations for the risk assessment include:
- What has changed in the operation (i.e. organization structure, remote work, new service, new tools) since Covid-19?
- Which controls (i.e. automated system controls, configurations, alert monitoring) will continue to operate as previously designed regardless of new Covid-19 operations?
- Which controls are no longer operating as designed?
Acknowledgement of employee handbooks and confidentiality agreements
Employee acknowledgements of certain human resource documents are often done manually. The signoffs and storage of these documents should move to an electronic format for organizations that are onboarding employees remotely and utilizing a work-from-home model.
Transaction processing controls for SOC 1 reports
Controls associated with payment approval, account reconciliation, check-run approval, and other management review controls are often performed and documented manually. The performance and documentation of such controls may need to move to an electronic format for organizations utilizing a work-from-home model.
Performance appraisals
Most organizations have traditionally used face-to-face meetings as part of their performance appraisal process. Given the recent challenges and risks of meeting in person, many organizations have postponed or simply not performed annual performance appraisals. We advise organizations to maintain their normal performance appraisal cycle and conduct the management review via video conference. This is important from a control perspective and to avoid exceptions in SOC reports. But even more importantly, performance appraisals are a valuable mechanism for communicating with employees and providing them with peace of mind and encouragement during Covid-19.
Physical and environmental security controls
Physical and environmental security controls are generally expected to be performed consistently throughout the year despite Covid-19. One exception is the regular maintenance of equipment (fire and flood detection and prevention, etc.). Although the frequency of this maintenance may be reduced due to social distancing and other concerns, it is critical for data centers to take steps to ensure that equipment is properly maintained and operational.
While the performance of physical and environmental security controls may not significantly change, the service auditor’s method of testing these controls will be much different than in the past. Data center walk-throughs and observation of physical and environmental controls will no longer be commonplace. Instead, service auditors will use video conferencing and other technologies to observe the implementation and operating effectiveness of controls.
Conclusion
Because of the changes to risks and controls caused by Covid-19, this will be a challenging year for organizations that receive SOC reports. However, evaluating and responding to the risks of Covid-19 proactively will help minimize the impact of the pandemic on the audit process.