The CDC recommendation for social distancing is driving many employers to direct their employees to work from home, which may represent a material deviation from how they perform their daily tasks. The Type 2 SOC 1 and SOC 2 reporting frameworks evaluate the suitability of the design and operating effectiveness of internal controls throughout the reporting period, and a central theme in these examinations is how the company assesses risks and what steps they take to mitigate them.
For companies that do not have well-developed policies and procedures for remote workers, these changes could potentially introduce circumstances that may be inconsistent with the control statements indicated in their SOC reports. These conflicts could spell trouble when the independent service auditor begins testing and could ultimately result in a qualified or adverse opinion.
Consider the following example from the SOC report of XYZ Service Corporation (fictitious) that has 100 employees that typically work in an office environment. Due to the coronavirus pandemic, XYZ Service Corporation is now asking 50 of them to work from home. Here is a single control statement from the XYZ report that represents one of many controls that may be affected by this change:
The service auditor will typically test this control in a client environment by sampling a number of systems and verifying the software is installed and configured for hourly updates, and that IDS is present and operating. The auditor may also rely on information provided via reporting from a centralized management server. But what happens to the evaluation of this control when, say, 50% of employees were working from home for weeks or even months? The control activity is still likely to be considered suitably designed; however, how can the auditor determine if it was operating effectively during the period employees were working from home? If XYZ Service Corporation cannot provide documentation or evidence that user’s home computers were in compliance with this control statement, it’s entirely likely the service auditor will qualify the report.
The good news is that these potentially adverse outcomes can be avoided with appropriate risk and governance strategies. However, the time to employ these strategies is right now. The management of companies that are currently in a SOC 1 or SOC 2 reporting period should revisit their prior-year SOC report and review the system description, control objectives, and control statements that are described in the report and then reassess risks based on the process changes they intend to implement.
In the example above, XYZ Service Corporation has elected to require half of its workforce to work remotely from home. This decision may be the best solution to ensure employee and public safety; however, what new risks does this choice present to the company and its customers? The risk assessment process should consider threats to the company, its software and systems, and its data and should be documented according to the company’s risk assessment policy or procedure.
Does the company have documented standards, guidelines, policies, or procedures regarding remote work?
The examples of questions above are by no means the only considerations in this scenario. Still, they clearly illustrate that assessing risk is vital when making significant changes to a company’s control environment.
The coronavirus pandemic is proving to be very disruptive across almost every industry. Events such as natural disasters, emergencies, political upheavals, and the like are viewed as opportunities for hackers and criminals. They know that companies are making changes, and employees are learning a new way of doing things, and they will work tirelessly to find a way to exploit them. As companies change their workflow processes and procedures to accommodate a remote workforce, they should consider the information security risks these changes introduce to their services and evaluate if they have adequately deployed appropriate internal controls to address these risks. The adage “An ounce of prevention is worth a pound of cure” couldn’t be more true.