Maintaining controls in a COVID-19 environment

Service organization leadership is focused, now more than ever, on the health and well-being of their employees, but they must also continue to provide uninterrupted service to their customers. Among these unprecendented challenges, where do internal controls fall?

Whether issuing System and Organization (SOC) 1 or SOC 2 reports, service organizations must still meet their contractual obligations and deliver reports to their respective organizations. This paper offers considerations for service organizations during these uncertain times.

Consider proactively changing the frequency of controls. Service organizations may want to consider reducing the frequency of low-risk controls. Are there certain controls that operate on a monthly basis that could still be effective in mitigating the intended risk it they were to change to quarterly? Could quarterly controls become semi-annual controls? At the same time, service organizations may want to consider increasing the frequency of controls that address risks that are now heightened due to changes in economic conditions, opportunities for cybercrime, etc. Service organizations may want to consider including their service auditor in these decisions.

Evaluate remote access controls. With a large portion of the world now working from home, service organizations with remote staff may want to evaluate the strength of their controls over remote access. Many service organizations use secure Virtual Private Network (VPN) connections, multifactor authentication requirements, etc.

Revisit cybersecurity controls in light of the heightened opportunity for cybercrime. In conjunction with the current COVID-19 pandemic, cyber attackers have increased their malicious efforts. Service organizations may want to consider additional security awareness training for employees and contractors, increased focus on anomalous security events identified by their security incident event monitoring systems, and alternative or expanded staffing arrangements to ensure the number of individuals who protect the service organization from cyber threats is commensurate with the increased risk during this public health event.

Enhance internal self-assessment. Service organizations may want to consider performing (or using a third party to perform) in-depth internal self-assessments to evaluate the health of the internal control program during the COVID-19 period (e.g. did all key controls continue to operate?) and implementing compensating controls where necessary to address any gaps in coverage.

Evaluate changes in controls. With service organization and user organization employees likely working from home, it is important to understand changes in service organization controls or user entity control considerations. Service organizations should be prepared to discuss any changes in controls during the period with their service auditors and disclose these within their SOC report. 

Draft incident disclosures. As a reminder, in the event of an incident (e.g. security, availability) that prevents the fulfilment of service commitments or service requirements, service organization management may be required to disclose the nature, timing, extent and effect of the incident and its presentation in their SOC 2 reports. In addition, in the spirit of ongoing communication, service organizations may want to consider notifying users impacted by the incident prior to the release of their SOC 2 report. Similarly, for service organizations with SOC 1 reports, in the event of incidents of non-compliance with laws and regulations, fraud, or uncorrected errors that are clearly not trivial and that may affect user organizations, service organizations are required to disclose those incidents to their service auditor, including whether such incidents have been communicated appropriately to affected user organizations.

Consider lessons learned from enacting business continuity/business resilience plans. Service organizations may want to take note of what worked and what did not when their business continuity plans were enacted in response to the disruption in the wake of COVID-19 and enhance those plans based upon the lessons learned.

Reevaluate risk assessments. Service organizations may want to reevaluate their risk assessments early and often based on the unforeseen risks and challenges posed by the COVID-19 pandemic. This may include modifying risks associated with this event and the impact on business operations as well as updating their annual risk assessments mid-year, taking into account mitigating factors and any newly required controls to compensate for those risks. 

While the above will not address all the short-term and long-term impacts of COVID-19, consideration of these factors will help a service organization to be prepared when the time comes for their service auditor's SOC examination.