From moving to a remote workforce to strengthening cybersecurity, navigating the impact of COVID-19 has meant making quite a few changes — and making them rapidly to help ensure business continuity.
But what about your internal controls? Amid the chaos of COVID-19, are these controls still the same? Are they still adequate in a new environment?
Your employees may have come up with workarounds in order to do their jobs from home. It’s important consider whether these potential workarounds are just changes in tasks or if the control points have been impacted, too.
COVID-19’s rapid changes — and a significant rise in cyberattacks attempting to capitalize on the crisis — make a SOC audit more important now than ever. This is the time to evaluate your compliance with internal controls and any external regulations. It’s also the time to reassure your customers that their data is still in good, safe hands.
In fact, performing a SOC exam can help in these four ways:
1. Show your strength
Doing a SOC exam now can demonstrate to your customers that you have maintained your internal controls. This shows your customers that their data is safe with you even during a crisis, going a long way to demonstrate your strength, bolster your reputation and retain customers.
2. Avoid a gap in coverage
SOC exams are annual events that cover a specific control period. Let’s say, for example, that your control period is from June 1, 2019 to May 31, 2020. Because of COVID-19, you may be tempted to shift the control period by several months to, say, November 1, 2019 to October 31, 2020. However, this would leave a gap from June 1, 2019 to October 31, 2019 that isn’t covered by a SOC audit. In turn, that’s going to lead to customer concerns and questions about what controls were in place during that gap.
Your customers still expect a high level of security from your organization in hosting and/or processing their data — especially given the rise in cyberattacks during the pandemic. Having a gap in your control period only exacerbates their fears and concerns. However, by performing a SOC exam now, you can avoid that gap in coverage and reassure your customers that their data is secure.
3. Comply with regulations
COVID-19 has brought changes to not only businesses and organizations but also the government. It’s tempting to think, then, that the pandemic has relaxed certain regulations. Yet make no mistake, the laws and standards you’re required to follow are still in place.
If you work with healthcare clients, you’re still required to comply with HIPAA during the pandemic. If you work with financial institutions, you’re still required to comply with the Gramm–Leach–Bliley Act. And so on.
Maintaining compliance before, during and after COVID-19 is critical. By performing a SOC exam, you can demonstrate your continued attention to your controls to your customers, further putting their minds at ease.
4. Disclose new technology, procedures and controls
It’s likely during COVID-19 that your organization implemented new technology and procedures. Perhaps pre-COVID, a lot of internal procedures were paper-based, so you’ve implemented paperless technology to enable a remote workforce. You may have also implemented technology around data encryption, remote access and data transfer.
All these technologies look good to your customers, as it means you have reduced the chance of a data breach and have continued efforts to protect their data. So why not get credit for implementing these technologies by disclosing them in your SOC report?
Preparing for your SOC audit
To prepare for your SOC exam, if you already perform one on an annual basis, it’s important to first have a conversation with your SOC auditor about what may have changed in your environment from what was covered in the previous SOC report. A firm like Wipfli can help you evaluate the impact of these changes and decide whether they need to be reported in the SOC exam.
If you’ve been thinking about having a SOC audit done and haven’t had one before, you probably realize that it could help you retain existing customers and provide a competitive advantage over other service organizations that don’t have one. In this case, we recommend starting with a readiness assessment to evaluate your internal control structure and recommend remedial actions to take before performing the SOC exam.
Click here to learn more about Wipfli’s SOC exam services, or continue reading on:
My data center has a SOC exam. Do I also need one?
Do I need a SOC exam? And do I need more than one?
What will my first SOC audit be like?
How to choose the timing of your SOC exam
Understanding SOC exam exceptions and management letter comments