As a SOC auditor, we frequently get asked the question of whether SOC exam controls can change within the period. The answer is, absolutely!
Business operations don’t revolve around the SOC report cycle, and changes are bound to be made throughout the year. While these control changes are inevitable, your auditor will need to audit the prior control and the new control. Therefore, it’s important to plan ahead and communicate with your auditor about the impact these changes will have on the SOC audit.
Assess the impact and make audit plan modifications
To assess the impact on the audit and on coverage for the required SOC criteria, start by asking yourself the following questions:
- Does the control change alter the intent of the original control?
- Are there other controls and processes that are impacted by the change?
- Does the change limit your auditor’s ability to obtain evidence from before the change?
Based on your answers to these three questions, your auditor will need to adjust the audit plan.
1. Does the control change alter the intent of the original control?
For this first question, consider whether the change is just the intent of the control itself or more a change in how the control is performed. For example, if you were manually tracking system access requests in emails and implemented an automated ticketing system mid-period, ask yourself whether this control change alters the intent of the original control.
If the intent and outcome of the control are similar, the procedures and evidence may look very similar. If there is a drastic change, does this result in a control gap?
2. Are there other controls and processes that are impacted by the change?
When the change is being made, does it impact other systems or processes? For example, if you’re implementing a new system, perhaps the authentication requirements don’t work with the current configuration. Does this change require other tangential controls to be modified, and does this impact the risk associated with the control?
3. Does the change limit your auditor’s ability to obtain evidence from before the change?
Will your auditor be able to collect evidence from prior to the change? It may be easiest to collect audit evidence prior to disabling the old system/process. For example, if you’re implementing a new accounting system, your auditor will want to grab screenshots and configurations of password parameters, lockout settings, user access lists and administrator lists from prior to disabling the old system.
It’s also important to keep track of when a control changed and to inform your auditor so that they know what to look for and can perform the SOC audit correctly. For example, if a daily checklist was implemented on July 12, then you should tell your auditor that they should only expect to see checklists from July 12 forward, not for the entire year.
Changing controls before your SOC audit
With proper foresight and planning, you can implement changes to controls mid-period in a way that helps your auditor collect the necessary evidence and perform your SOC exam more easily and efficiently.
If you have any questions about how to determine the answers to the above three questions or how certain changes may impact your SOC exam, contact Wipfli.
You can also continue reading on:
How to choose the timing of your SOC exam
How to read a SOC report
Understanding SOC exam exceptions and management letter comments
SOC exams for service organizations