Typically, October is the start of the attestation reporting season. This means companies start receiving SOC and ISAE reports for their internal controls over financial statements as well as other internal control frameworks. But like any organization this year, the service organizations issuing these reports have been impacted by COVID-19. But what does this mean for you?
A lot of SOC (Service Organization Controls) and ISAE (International Standard on Assurance Engagements) reports are issued between October and December as they cover the period from January to September. While the process of obtaining, reviewing and evaluating these reports has become fairly standard and straightforward over the years, we expect this year to be a little bumpy. Indeed, the impacts of COVID-19 being felt all around the world will not stop at service organizations’ doors. In fact, we expect several trends:
Just like so many other companies, service organizations are impacted by the current global health crisis and have had to take measures to protect their employees. This means work-from-home policies, short-time work, etc., which will probably have an impact on the annual SOC/ISAE reporting process. The reasons are many: control owners might not be available or may have changed, testing process may be extended to accommodate short time work, virtual meetings may impact efficiency, travel restrictions may prevent physical observations, etc. In addition, since the process involves many stakeholders such as management, IT, service auditor or third-party vendors, it makes it even more difficult to obtain consensus on decisions.
The massive transition to remote work as well as other emergency measures taken by companies as a result of COVID-19 mean that processes and controls had to be adjusted to allow operations to continue. Few continued as-is thanks to mature digital processes; nonetheless, many organizations had to make some adjustments, enabling services or allowing transactions. A recent survey showed that 85% of CISOs admit they sacrificed cybersecurity to enable a shift to remote working.
Since the controls and controls objectives of the reports have to be defined and described clearly, any changes in the process needs to be reflected in the report from a SOC & ISAE perspective. For example, we expect a number of controls descriptions this year to include a precise indication of the period, such as:
While this may not have an impact on overall conclusions and opinions, they will make the process more time-consuming for the readers of the report since any change will have to be carefully evaluated for impacts on the control environment.
With control changes will also come control deviations. Since rules have been bent, authorizations have been granted, special circumstances have been agreed to, we expect that these will result in an increase in the number of exceptions identified by service auditors. Simple examples include new conflicts in the segregation of duties, lack of physical or digital evidence, insufficient oversight, missed deadlines, etc. Increased activity in certain transaction-based processes also means an increased likelihood of errors and issues. From layoff plans that require more access removals to increased remote working leading to increased network traffic, control owners are seeing their control activities surge while at the same time being impacted by health measures just like anyone else.
If you are to receive one or more SOC or ISAE reports in the coming months, you should: