Has your organization recently moved to a remote workforce due to the COVID-19 pandemic? Although the extra-casual dress code and commute might be nice, don’t allow the change in routine to impact the criteria essential to a SOC 2 examination. Moving to a virtual workforce poses many challenges and new risks that need to be considered for SOC 2 examinations including:
Standardization – Moving to a complete remote workforce may impact the scope of your organizations control environment more than you think. The American Institute of CPAs (AICPA) provides criteria that an organization should implement logical access security software, infrastructure, and architectures to protect them from security events (AICPA, Trust Services Criteria). This directly relates to those accessing organizational data from outside the organization network. Many organizations opt to implement two-factor authentication, virtual private networks, or encrypted hard drives for existing remote workers to satisfy this criteria. Organizations must be cognizant to extend the current controls implemented from their pre-existing remote workforce to the entire organization to ensure they are secure and that they are not deficient during their SOC 2 examination.
Vulnerabilities – A risk assessment should be performed to identify potential gaps specific to a remote workforce. It is important to understand that your employees may not just work from home, but rather anywhere that has internet access such as hotels and airports. Controls should be implemented or revised to mitigate risk from vulnerabilities identified, such as disabling removable media, providing more robust security awareness training, and/or requiring users to acknowledge a remote work policy. Additional controls could include web content filtering, disabling local administrative rights on employee machines, and disabling VPN split tunneling. Security awareness training should provide employees with the knowledge to maintain proper cyber hygiene away from the office.
Documentation – Working remotely provides a great opportunity to use collaborative tools to communicate with your team. Although substituting an in-person board of director’s meeting with a video call may sound nice, it is important to perform the same level of documentation that would typically be performed for an in-person meeting. This includes formally documenting the agenda, meeting minutes, and any approvals that result from the meeting. A SOC 2 examination relies on documentation to ensure operating effectiveness of controls. Lack of documentation to show a meeting occurred or evidence of specific items covered during the meeting can be the difference between a clean report and a report with deficiencies. Policies and procedures should be developed to ensure proper documentation guidelines. Further, a retention policy should be put into place to ensure documentation is not removed or deleted prior to the end of its useful life.
Timeliness – SOC 2 Type II examinations require evidence to show the operating effectiveness of a control. New controls and expanded existing controls can add considerable time to the documentation gathering phase of an engagement. Planning your resources accordingly will allow the engagement to progress smoothly and on schedule.
Understanding the impact of a remote workforce on your SOC 2 examination is important to ensure all controls operate effectively and are relevant to your organizations environment.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.