By Trevor Maki
Your organization needs a SOC report. Your customers are requesting it, but there’s only one issue: Your organization doesn’t have a home office or physical location. How can management prove the controls are effective?
Alternatively, how does management prove controls are effective when an entire workforce suddenly has to switch to remote work, like in the COVID-19 environment?
The answer may sound incredibly simple: evidence, of course. There are varying types of evidence, and different pieces of evidence can be combined to prove controls were effective during the period.
Below are five types of evidence to help an organization prove sound controls in a remote environment:
1. Data logs
For an organization that has always been remote or had to go remote in response to COVID-19, data logs prove incredibly valuable for controls that relate to logical and physical security. Reports from your software and active directory may help provide your SOC auditor with the list of authorized users, and data logs can reinforce logical and physical security controls to show that only authorized users were able to access the systems within the scope of your SOC audit.
Emails can provide evidence for a number of different types of controls, such as providing 1) approval of access in relation to logical security controls, 2) proof of review and approval for operational controls requiring a level of detail review or 3) an audit trail of sign-offs in lieu of paper signatures. Your auditor may request a listing of organization email addresses to verify senders and determine the senders appear appropriate for the control being tested, or they may review the external party to determine that their email appears appropriate.
3. Webcam walkthrough
Controls that may only be able to be tested via observation can still be done using some creative thinking and the use of team collaboration applications such as Microsoft Teams, Zoom or Skype. Your SOC audit team may be able to validate and determine controls were effective through a webcam walkthrough — allowing them to observe controls that they normally would have onsite or that would otherwise need some form of in-person observation.
4. Electronic workflows
If your organization uses some form of workflow software or process to ensure control steps are being completed accurately, these workflow applications may provide useful evidence as a type of electronic checklist.
These workflows are particularly effective for showing operational control and logical access control effectiveness. For example, if your organization has controls specifying new-user setup into your system and the team who does the new user setup uses an electronic workflow, this workflow may provide solid evidence that the new users were set up by appropriate personnel, in a timely fashion and with the proper user access. Or, for an operational control, a workflow may show timely completion of vital operations and a timely review of those operations that are within the scope of your SOC audit.
5. Paper documentation
Good old-fashioned paper documents — provided to your auditor in an electronic format such as PDF, JPEG or PNG — can also be acceptable forms of documentation. This evidence works well for proving contracts have been signed between your organization and customers and your organization and vendors, for new hire or termination testing related to logical and physical access, or even for completion of checklists related to operational controls.
How to assess internal controls: Let Wipfli help you get started
All of these types of evidence can help you and your organization prove controls were effective during your SOC audit period, even if you do not have a home office or a physical location, or you were forced to move to a remote workforce in response to COVID-19.
More importantly, it’s critical to discuss with your audit team to determine what is acceptable and appropriate documentation to prove your controls are suitably designed, fairly described and effective during your audit period. Discuss with your audit team to ensure your organization has captured all of your controls during the period, including new controls that may have been added due to moving to a remote workforce.
If your organization needs a SOC audit to provide assurance to your customers, reach out to Wipfli. We’ll discuss with you how we can help you prepare for a SOC audit or to provide you with the required third-party audit of your controls.