COVID-19 and SSAE 18: What Does This Mean for Your SOC Preparedness

COVID-19 and SSAE 18: What Does This Mean for Your SOC Preparedness

Hopefully this writing finds you well, and adjusting to perhaps the most serious health-related situation to the world in many a lifetime.  Perhaps it may find you contemplating preparedness in very specific ways beyond the abstract manner where such thoughts comfortably lived just a few short weeks ago.  However such reflection finds you, it will most certainly find you working from home.
It is clear that no individual or organization is immune to the brunt of this coronavirus pandemic.  Were it only a health concern, that would certainly be impactful enough; however, when you consider the social and economic impact this pandemic has created to date and the projected trajectories moving forward, it is likely the effect to educational institutions and businesses may be even more lasting than that to individual health.
Fortunately, the audit and compliance profession provides many opportunities to both manage and control such necessary change, as managing desired results given a set of undesirable, unfavorable, or unknown variables is routine to our risk management practices.  While engaging auditors and other compliance professionals, often-times in person, is similarly as routine as the audit and compliance effort itself, certain variables can be good news if your organization is performing or soon scheduled to perform an attestation engagement such as a SOC examination (i.e., SOC 1, SOC 2, SOC 3, or SOC for Cybersecurity), or almost any other type of compliance assessment.1

When Social Distancing Becomes Audit Distancing

Each day, whether dealing with extenuating circumstances or not, many accounting and assessment firms both great and small are not only reviewing and modifying their approach to travel, but are also considering changes to their audit methodologies.  A key, and perhaps central, consideration is how to keep their personnel and client personnel safe while also fulfilling the audit obligations to their clients and other interested parties—something that has become especially relevant in recent days.
The AICPA attestation code requires practitioners—auditors—to base their opinions on their professional judgment and the persuasiveness of the evidence they obtained during the examination.  Certainly, there are additional underlying professional requirements, but when considering in-person vs. distance auditing, the crux of the matter for examinations can be distilled into a simple and relatively straightforward concept: sufficient and appropriate evidence.
This is good news.  Due to the fact that the attestation code does not require in-person procedures for any phase of the examination, any in-person or remote processes are governed by the risk management decisions of the auditors, the client, and the engagement details.  Such flexibility allows for the effective completion of examinations regardless of routine or rapidly changing landscapes, as audit procedures remain dependent on the client’s specific needs, the auditor’s knowledge and subject matter expertise, and the implementation of acceptable alternatives to traditional audit methodologies.
The other good news is that other compliance frameworks have also followed suit.  While reinforcing its belief that onsite audits are valuable, the PCI Security Standards Council (PCI SSC), in fact, support the use of remote auditing techniques as long as the “integrity of the assessment” remains intact, ultimately relying on the Qualified Security Assessors’ judgment that the evidence supports the findings and results of the assessments. The FedRAMP PMO and HITRUST Alliance have echoed similar sentiments, and though ISO is more complex, it also makes allowances for significant events such as these.

Flattening the Curve

In reference to the stabilizing effect community isolation can have on the demand for healthcare resources, the phrase ‘flattening the curve’ has undoubtedly made its rounds recently from news broadcasts throughout living rooms, dining rooms, back porches, along with every other place where folks are getting reacquainted with.  As each of us does our part as professionals and as members of society, this concept of smoothing out the demand for resources also makes sense for managing compliance audits.  Here are four quick tips and considerations for your COVID-19 era SOC examination:
  1. Connect with your Auditor / Assessor:
    By now your auditor will have most likely prepared temporary or emergency protocols for managing existing audits and projects with respect to the new circumstances brought on by COVID-19.  The situation changes daily, so establishing a timely communication channel with your audit and compliance professional is likely the minimum consideration for your examination.  As new updates impact your organization, regulatory requirements, or the auditor’s methodologies, having a consistent touchpoint may be just what the doctor ordered—please excuse the pun.  Additionally, your compliance professional should be able to outline, in specific detail, any impact to your particular compliance requirements and explain in very clear and easy to understand terms the position of the governing body on remote or distance auditing.  While we know that in the case of attestation examinations, in-person auditing is not a requirement from the governing standards, your auditor should also be able to speak to the other and non-authoritative requirements that may impact your examination.
  2. Distance Audit Techniques:
    As travel restrictions are in constant flux at the federal government level and company level, this is likely to be the greatest single change for your assessment and technology will go a long way here in mitigating restrictions. Most business-class laptops are equipped with a high definition camera suitable for effective video conferencing—video conferencing software is as ubiquitous as MS Office, so using the obvious software solutions to overcome the challenges of distance auditing is to be assumed.  Even still, the evaluation of physical safeguards and processes would need to be accommodated in potentially non-traditional ways, and if the physical walkthrough was the primary source of evidence, consideration should be given to other forms, including evaluating system logs from physical access portals and systems, physical control monitoring logs, video surveillance logs, badge and system access listings, as well as remote viewing sessions using cell phones and/or laptop cameras among other possibilities.  Again, for any assessment or examination, the governing principle in this area is the sufficiency and appropriateness of the evidence; therefore, what may have been sufficient with an in-person tour may require more corroborative data than before, and that is largely true across other standards.  Please expect and plan for this with your auditor.  Alternate techniques should be planned out in advance, as well as contingency plans if key personnel or systems become unavailable and thus would prevent a remote approach to evaluating certain controls.
  3. Be Available:
    Notwithstanding the above, there are indeed certain conditions that may inhibit distance auditing.  While using teleconference technology may be obvious, what may be less obvious is the availability of network access to critical software, applications, and infrastructure that would be necessary for effective auditing, including VPN availability, which will surely be stress-tested across businesses and home offices during this time.  (It is also worth noting that this article was written without the benefit of high-speed Internet connectivity due to an unforeseen outage that is hopefully temporary.)  Contingency planning adds just one more variable to consider when planning with your auditor—redundancy in your network and personnel availability should be identified and communicated.
  4. Optimize Your Audits:
    Combining and leveraging audit and compliance programs has become a vestige of a much simpler and largely extinct compliance landscape.  Many, if not most, medium-to-large businesses and several small businesses that deliver services via the Internet (also known as every service organization) are faced with multiple external compliance requirements, e.g., GDPR, CCPA, PCI DSS, HITRUST, ISO, HIPAA, FedRAMP, CMMC, etc.—those that aren’t managing against at least two of those acronyms in addition to an attestation are considered in the distinct minority. As such, it is recommended to identify areas of synergy throughout these assessments at a distance, not only for the sake of being productive in primary business operations, but also to optimize every precious resource used towards satisfying Compliance Project X for purposes of Compliance Project Y, whenever feasible.  An audit firm that can seamlessly perform your SOC examination concurrent with your ISO 27001, evaluating a single piece of evidence or interview towards both projects, will be extremely valuable to all organizations who can manage such synergy.  Further, such synchronized evaluation has a compounding (or curve flattening) effect as other compliance requirements are properly planned and organized using a single assessor that is duly qualified.
Though COVID-19 has grown into a serious threat to global health, we will get through it as a compliance community and as a society.  Despite the many changes being affected due to the virus, one of the greatest opportunities will be to foster an enduring state of preparedness in your compliance organization for whatever may come with the coronavirus and beyond.  Whether it be your examination, IT assessment, or neighborhood shopping center, it is ironic that our current demonstration of community mindfulness is manifested in how best we isolate while staying connected.  Your SOC examination can weather this storm, and with the right communication and assessor, it can and should be done with the same level of quality and professionalism as expected in more routine times.

SOC reporting is governed by professional standards promulgated by the AICPA.  These standards have been codified into SSAE No. 18, Attestation Standards: Clarification and Recodification.

About the Author

Ryan Buckner

Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Article
New York SHIELD Act
New York SHIELD Act

Companies that collect or process personal information about New York residents have likely heard of New Yo...

Next Article
COVID- 19 Update: Compliance Reliance
COVID- 19 Update: Compliance Reliance

As we face this rapidly evolving and fluid health emergency related to coronavirus disease COVID-19 we want...


First Name
Error - something went wrong!