SOC 2 Considerations When Moving to a Remote Workforce

Has your organization recently moved to a remote workforce due to the COVID-19 pandemic? Although the extra-casual dress code and commute might be nice, don’t allow the change in routine to impact the criteria essential to a SOC 2 examination. Moving to a virtual workforce poses many challenges and new risks that need to be considered for SOC 2 examinations including:

  1. Standardization – Moving to a complete remote workforce may impact the scope of your organizations control environment more than you think. The American Institute of CPAs (AICPA) provides criteria that an organization should implement logical access security software, infrastructure, and architectures to protect them from security events (AICPA, Trust Services Criteria). This directly relates to those accessing organizational data from outside the organization network. Many organizations opt to implement two-factor authentication, virtual private networks, or encrypted hard drives for existing remote workers to satisfy this criteria. Organizations must be cognizant to extend the current controls implemented from their pre-existing remote workforce to the entire organization to ensure they are secure and that they are not deficient during their SOC 2 examination.
  2. Vulnerabilities – A risk assessment should be performed to identify potential gaps specific to a remote workforce. It is important to understand that your employees may not just work from home, but rather anywhere that has internet access such as hotels and airports. Controls should be implemented or revised to mitigate risk from vulnerabilities identified, such as disabling removable media, providing more robust security awareness training, and/or requiring users to acknowledge a remote work policy. Additional controls could include web content filtering, disabling local administrative rights on employee machines, and disabling VPN split tunneling. Security awareness training should provide employees with the knowledge to maintain proper cyber hygiene away from the office.
  3. Documentation – Working remotely provides a great opportunity to use collaborative tools to communicate with your team. Although substituting an in-person board of director’s meeting with a video call may sound nice, it is important to perform the same level of documentation that would typically be performed for an in-person meeting. This includes formally documenting the agenda, meeting minutes, and any approvals that result from the meeting. A SOC 2 examination relies on documentation to ensure operating effectiveness of controls. Lack of documentation to show a meeting occurred or evidence of specific items covered during the meeting can be the difference between a clean report and a report with deficiencies. Policies and procedures should be developed to ensure proper documentation guidelines. Further, a retention policy should be put into place to ensure documentation is not removed or deleted prior to the end of its useful life.
  4. Timeliness – SOC 2 Type II examinations require evidence to show the operating effectiveness of a control. New controls and expanded existing controls can add considerable time to the documentation gathering phase of an engagement. Planning your resources accordingly will allow the engagement to progress smoothly and on schedule.

Understanding the impact of a remote workforce on your SOC 2 examination is important to ensure all controls operate effectively and are relevant to your organizations environment.

How Can Schneider Downs Help?

For more information on our System and Organization Control (SOC) Reports services, please visit https://www.schneiderdowns.com/reporting-controls-service-organization-soc-reports-ssae-18-audits.

Please visit our Coronavirus resource page at schneiderdowns.com/our-thoughts-on/category/Coronavirus for related content.

Sources: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Evolving Cyber Threats of the New Normal
Important Update on the Paycheck Protection Program under the CARES Act
Extension of the Main Street Lending Program
Temporary 100% Deduction of Business Meals Proposed by Senate Republicans
Staying Ahead of The Curve
Main Street Loan Modifications for Not-for-Profit Organizations

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102