Typically, October is the start of the attestation reporting season. This means companies start receiving SOC and ISAE reports for their internal controls over financial statements as well as other internal control frameworks. But like any organization this year, the service organizations issuing these reports have been impacted by COVID-19. But what does this mean for you?
A lot of SOC (Service Organization Controls) and ISAE (International Standard on Assurance Engagements) reports are issued between October and December as they cover the period from January to September. While the process of obtaining, reviewing and evaluating these reports has become fairly standard and straightforward over the years, we expect this year to be a little bumpy. Indeed, the impacts of COVID-19 being felt all around the world will not stop at service organizations’ doors. In fact, we expect several trends:
1. Delay in reports issuance
Just like so many other companies, service organizations are impacted by the current global health crisis and have had to take measures to protect their employees. This means work-from-home policies, short-time work, etc., which will probably have an impact on the annual SOC/ISAE reporting process. The reasons are many: control owners might not be available or may have changed, testing process may be extended to accommodate short time work, virtual meetings may impact efficiency, travel restrictions may prevent physical observations, etc. In addition, since the process involves many stakeholders such as management, IT, service auditor or third-party vendors, it makes it even more difficult to obtain consensus on decisions.
2. Change in controls
The massive transition to remote work as well as other emergency measures taken by companies as a result of COVID-19 mean that processes and controls had to be adjusted to allow operations to continue. Few continued as-is thanks to mature digital processes; nonetheless, many organizations had to make some adjustments, enabling services or allowing transactions. A recent survey showed that 85% of CISOs admit they sacrificed cybersecurity to enable a shift to remote working.
Since the controls and controls objectives of the reports have to be defined and described clearly, any changes in the process needs to be reflected in the report from a SOC & ISAE perspective. For example, we expect a number of controls descriptions this year to include a precise indication of the period, such as:
- From 1 October 2019 to 15 March 2020, all changes to the system were approved by at least three CAB members in the change management tool.
- From 16 March 2020 to 30 September 2020, all changes to the system were approved by at least two CAB members either in the change management tool or via email.
While this may not have an impact on overall conclusions and opinions, they will make the process more time-consuming for the readers of the report since any change will have to be carefully evaluated for impacts on the control environment.
3. Increase in number of controls deviations
With control changes will also come control deviations. Since rules have been bent, authorizations have been granted, special circumstances have been agreed to, we expect that these will result in an increase in the number of exceptions identified by service auditors. Simple examples include new conflicts in the segregation of duties, lack of physical or digital evidence, insufficient oversight, missed deadlines, etc. Increased activity in certain transaction-based processes also means an increased likelihood of errors and issues. From layoff plans that require more access removals to increased remote working leading to increased network traffic, control owners are seeing their control activities surge while at the same time being impacted by health measures just like anyone else.
What to do about it now?
If you are to receive one or more SOC or ISAE reports in the coming months, you should:
- Contact now your third-party providers and get an update on the status of the report, any changes anticipated and any known exceptions. While they may simply state that testing is on-going, you should be able to get an indication of whether any significant changes are expected.
- Evaluate the impact of material deviations or qualifications on your control environment and identify compensating controls that can be relied on. Typically, these would be around the reconciliation of data, log reviews or sample-based testing.
- Work with your external auditor to anticipate the impact of significant issues in the reports. This could include planning additional testing procedures or implementing mitigating measures.