SOC 2 Remote Audit Guidance
Published On September 9, 2020
Blog Post by Angela Fitzpatrick, ITRM Manager at Meditology Services
Game-changing shifts are underway for audit, risk, and compliance programs looking to leverage third-party SOC 2 attestations to validate compliance with industry-standard security requirements.
The pandemic has driven entire workforces into remote operation at precisely the same time when the demand for independent inspection and validation of security controls for third-party vendors has reached peak levels.
These fundamental changes to business operations, systems, and controls require that SOC 2 audit approaches be revisited and adjusted to reflect new remote models and the risks they may introduce to organizations.
The AICPA released guidance titled FAQs - SOC 1® and SOC 2® Issues Arising From COVID‐19  to help audit practitioners and businesses understand the impact of conducting remote SOC 2 audits in 2020 and beyond.
The following are some of the key points highlighted in the AICPA’s remote audit guidance materials.
Assessing the Scope: What has Changed?
The impact of the pandemic on operations and business models varies greatly from organization to organization. Changes may range from increases in remote workforce, furloughs of staff or entire departments, closures of facilities, changes in management and oversight models, and more.
These changes mean that there is an increased risk that controls may no longer be operating effectively as designed. A prime example is the introduction of remote access technologies including VPNs and cloud-based access models.
Auditors must review the scope of the SOC 2 audit with the service organization’s management to size up the nature and extent of changes that may impact the effectiveness of security controls. Where substantive changes have occurred, auditors must reassess risks and adjust findings accordingly. As a result, organizations should anticipate additional time and effort for SOC 2 audits conducted in 2020 and 2021 compared to prior years.
Performing Remote Audits
SOC 2 auditors often rely upon physical inspection and review of evidence to arrive at audit opinions outlined in SOC 2 attestations. The introduction of a remote workforce alongside limitations on travel and physical office and system inspections has the potential to hinder the effective collection and review of evidence of controls.
One option presented in the AICPA guidance is to consider delaying SOC 2 audits until such time as these conditions change. However, our experience working with our clients has shown that this course of action has proven impractical as the pandemic persists.
Another suggested tactic is to have remote workforce members capture and upload evidence of controls. This meets the requirements of the formal audit protocols; however, it can also introduce some inefficiencies in the evidence collection process. AICPA guidance also recommends that auditors maintain a “heightened sense of professional skepticism” for documentation submitted remotely vs. inspected in person.
Video conferencing technology including screen sharing capabilities has proven to be one of the more effective mechanisms for viewing and collecting controls evidence remotely. The agility of screen sharing allows auditors to work alongside the business representatives to navigate and observe multiple control areas without having to amass large volumes of static evidence.
The management’s description of the service organization’s system is a foundational component of the SOC 2 audit report and process. For SOC 2 Type 2 audits specifically, the description criteria require "disclosure in the description of the system of relevant details of significant changes to the service organization’s operations, system, or system controls."
Organizations that have experienced material changes to their business models, operations, or risks resulting from COVID-19 must make sure to disclosure those factors in the service organization’s description.
Auditors must request and obtain evidence of effective controls for time periods both before and after pandemic-related business changes outlined in the description.
Auditors may also ask service organizations to include additional attestations in their management representation letters including:
- Effects of the pandemic on the service organization, its operations, and technologies used in providing services
- Any communications to customers and business partners about changes in service level agreements or commitments
- Disclosure of all changes to systems and related controls due to the pandemic
- Identification and assessment of new risks arising from changes to systems and related controls
Meditology Services is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services, exclusively for healthcare organizations. Our Meditology Assurance division is an AICPA accredited provider of SOC 2 auditing, reporting, and attestations.
Contact us to learn more about how we can help you navigate your compliance and risk management needs including SOC 2 audits.