The impact of COVID-19 has meant making quite a few changes in a rapid fashion to help ensure business continuity. As you work to continue to serve your clients while also supporting a mostly remote workforce, you may have lost focus on the operation of your internal controls.
This is the time to evaluate compliance with internal controls and external regulations and perform a risk assessment. It’s also the time to reassure your customers that their data is still in safe hands.
When there are significant changes to systems and controls, management is responsible for identifying and assessing new risks that might arise from system changes. There also may be a need to make modifications to controls – or designing and implementing new controls – to mitigate assessed risks.
Auditwerx offers the following considerations as you navigate the COVID-19 crisis:
Perform a risk assessment
It’s highly likely that your risk environment has changed during the course of the pandemic. Business continuity risks may have risen to the top of the list and you may be scrambling to adapt to new remote work styles. Reevaluate your risk assessment and update your risk mitigation plan to minimize impacts on your control environment. Keep in mind the following questions:
- What are the greatest risks your organization faces and how are they impacting operations?
- Have new technologies been adopted that need to be included in the risk assessment?
- Were key employees laid off or furloughed?
- Have employee changes created potential segregation of duties issues?
- How are you protecting confidential or private information within remote environments?
- Have new cybersecurity threats or vulnerabilities been introduced?
- Do new controls need to be added or existing controls modified to address risks?
By taking steps to address the answers to these questions, you can help your organization continue to operate as normally as possible given the current circumstances.
Implement or evaluate your business continuity plan
Hopefully, your organization had a business continuity plan which was periodically tested. If not, now is the time to implement one, or test an already existing plan. For an existing plan, it’s also important to evaluate the implementation of the plan during the pandemic to identify any lessons learned for the future.
Implement or redesign controls
As a result of performing your risk assessment, there will likely be control gaps that require a control redesign or the implementation of additional controls. For example:
- What controls are operating at a different frequency or not at all?
- Are there controls that required handwritten signatures or any other activity that cannot be performed remotely?
As you make control adjustments, be sure to properly document all control changes or implementations.
Communicate to your customers
Ensure you’re communicating any SOC reporting delays or issues to your customers in a proactive manner. Your customers rely on your report for their own reporting needs. In addition, you can elect to include additional information regarding your company’s response to the COVID-19 crisis within the “Other Information” section of the SOC report.
Prepare to return to normal
As you resume normal operations, you should re-evaluate changes made during the pandemic. Controls put in place or changed to handle the crisis could have long-term, negative impacts.
While the above may not address all of the impacts of COVID-19 on your organization, consideration of these factors can help you be better prepared for your SOC examination.