In late April, the AICPA published non-authoritative guidance to assist service auditors as they prepare for and perform SOC examinations in the wake of the COVID-19 outbreak. The guidance can also be applied by service organizations that are undergoing or planning for a SOC exam in the wake of the pandemic, which has certainly altered how most companies conduct business.
Highlights for service organizations from the published guidance follow:
Consider how COVID-19 has affected how you provide services, the systems you have in place, and your controls around these items. Your service auditors will inquire as to how these items have changed and, where controls are involved, test to ensure that they’re still designed and operating effectively. Note: one such change may be that key personnel were laid off or furloughed. It’s important to understand how loss of key personnel may have affected how your controls operate.
- Management is responsible for determining and mitigating any new risks that may have arisen from changes made. Be prepared to share these risks with your service auditor in case they require new or redesigned testing procedures. For example, if your employees are now working from home, your service auditors may increase testing around the security of your remote connections.
- When writing or updating your description of the system, ensure that any significant changes made as a result of the pandemic, and tested by your service auditors, are properly disclosed.
- Your service auditor will still need to obtain an appropriate amount of evidence to support their opinion. Documentation provided as evidence should still be cognizant of its reliability to a service auditor, as well as completeness and accuracy of populations. This may require some creative problem-solving on both sides. For example, walkthroughs to test physical access controls may not be possible in person, but video calls could serve as an alternative if performed within the period. If there’s evidence that can only be provided in hard copy form, and employees are restricted from going to the office due to social distancing restrictions, discuss this with your service auditor so an alternate course of action can be decided.
- While your service auditor will not be testing your company’s ability to operate as a going concern, consider if disclosures of this nature may be needed in your system description.
- Attestation standards require your service auditor to inquire of management if any events have occurred subsequent to the period of time covered by your report. If there have been events related to COVID-19 that occurred subsequent to your reporting period, be sure to make your service auditor aware.
- Your service auditor may ask you to add additional representations to your representation letter. Examples provided by the AICPA include:
- Effects of COVID-19 on the organization, its technologies, etc.
- New risks identified from any changes made to systems
- Going concern issues identified
- If you utilize the inclusive method to disclose services provided by a subservice organization, determine if your subservice organization is still able to participate in a SOC engagement. The carve-out method may be required if your subservice organization simply doesn’t have the time or ability to participate in the examination. If this is the case, work together with your service auditor to determine if the carve-out method presents your system in an accurate manner. A scope limitation like this may require modification of the assertion and service auditor’s report.
- Be proactive in speaking to your customers to understand the impact a delay in producing your SOC report may have on them, and make your service auditor aware of customer concerns or needs.
If you have any questions on how to handle these or any other COVID-19 considerations in preparation for your SOC examination, feel free to reach out to the team at Schneider Downs.
Please visit our Coronavirus Resource Center for related content.