Reevaluate Your SOC 1 and SOC 2 Obligations During the Pandemic
In April, the American Institute of Certified Public Accountants (AICPA) offered guidelines for service auditors and businesses to get a handle on their regulatory obligations in the time of the coronavirus. In short, there may be changes to your operations, but there are still ways to remain compliant with SOC 1 and SOC 2 in today’s new normal.
Service auditors are asked to understand the impact of COVID-19 pandemic on each individual service organization’s operations, the system used to provide services to customers and the controls within the system. To a large extent the effect of the pandemic depends on the nature of the services provided by the service organization, the systems used to provide them, and the controls the service organization has designed and implemented.
For example, a service organization that provides customer support over the phone or processes healthcare claims may have sent personnel home to work remotely or may have had to lay off or furlough a number of personnel. When personnel with the competence and authority to review, supervise or perform controls have been replaced by those that do not, there is an increased risk that controls may not operate effectively as designed. Controls may also be negatively affected by the lack of direct supervision by senior management.
Nevertheless, AICPA warns that when there are significant changes to systems and controls, management is responsible for identifying and assessing new risks that might arise from system changes. It is also responsible for making modifications to controls – or designing and implementing new controls – to mitigate assessed risks. For example, a new risk may arise from the introduction of remote access software to enable employees to work from home. It is important that the service auditor carefully discuss with management all changes to the organization’s operations, systems and controls to make sure all relevant risks have been identified and addressed.
It can be difficult ensuring you are compliant with all of your regulatory obligations as your operations constantly shift during a pandemic. Hiring an IT consultant like 2W Tech can help your organization wade through the maze that is the AICPA SOC. Contact us today to assist you in getting a handle on your cybersecurity protection. 2W Tech is a technology service provider specializing in Security solutions.