How we all work, and live, has drastically changed in a short amount of time. With the social changes and government restrictions amidst the COVID-19 outbreak, much of what we do on a daily basis to provide goods and services is being done very differently now.
With that in mind, it can be easy to lose sight of the processes within organizations, designed over years of trial and error, to ensure the security of information. With the dust settling after the rush to implement a work-from-home (WFH) workforce, it is important to stop for a moment to consider whether your entity’s data security controls have been negatively affected.
While this is important for all organizations, it has added significance for organizations subject to SOC examinations since any degradation of controls could potentially become a finding in your next report.
Be Proactive on Your New WFH Compliance Risks
Working from home, remote working, or teleworking changes to your operations stemming from COVID-19 will be an important discussion topic during your next SOC planning meeting. To make sure you are ready, we recommend taking the following actions:
- Review the controls within your most recent SOC report and consider whether any of these controls have been affected by operational changes. Areas where control impact is likely include:
- Provisioning of new IT resources to support WFH.
- Provisioning of access to new systems/resources or elevated access within existing systems/resources.
- Data handling policies and procedures that may not address WFH.
- Implementation of new collaboration tools to share (potentially sensitive) customer information.
- For any impacted or newly added controls, record the date of change/implementation and any other pertinent details in a memo.
- Consider whether changes to controls have resulted in audit evidence that would be different from what was provided in the past. Discuss these differences with your auditor to determine whether the new evidence will cause any problems.
- For affected or newly implemented controls, consider whether the necessary documentation and approvals have been retained to support audit requests. (Were all of those newly provisioned VPN credentials formally approved in the rush to get your teams working remotely?)
We Are Here to Help
The health and well-being of you and your families is the first priority. When the time comes to evaluate the integrity of your security controls in this new landscape, we can guide you through the process and to create the reports you need for assurance related to your controls.
Lurie’s Technology Assurance team is dedicated to providing technology advisory and compliance services to companies that range from start-ups to Fortune 100 companies.
Contact us today with your questions, we are here to help
Meet Our Team
With a broad base of experience in multiple audit disciplines, Sean offers a well-rounded approach to technology consulting. He specializes in System and Organization Controls (SOC) examinations, building strong foundations of trust with his clients and striving to implement creative ways to test controls when standard approaches are no longer viable.
Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.
Let's Start a Conversation
This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.
We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.