When unexpected disruptions strike: How they could impact your SOC report

Unexpected disruption, such as the COVID-19 pandemic, can uproot our definition of normal. As organizations settle into their new normal, it’s important that management identifies, analyzes, and mitigates evolving risks.

System and organization controls (SOC) reports help organizations build trust and confidence in the service performed for other entities. Each type of SOC examination, commonly referred to as a SOC audit, can help service organizations meet their specific user needs.

There are three reports prepared by independent CPA firms — SOC 1, SOC 2 and SOC 3 — as well as SOC audits for cybersecurity.

Through timely and proactive action, management can work with SOC examiners so the new normal doesn’t erode the trust and hard work of protecting the security, availability, confidentiality, processing integrity, and privacy of customer data.

Business impacts for SOC audits

Organizations can be affected by disruption in multiple ways. Identifying core processes and critical business objectives allows for pivoting and adapting organization resources where required.

While not a complete list, following are seven major consequences of disruption that can directly impact internal controls, planned or ongoing SOC audits, and next steps for management.

1. Business and market disruptions

Given the widespread disruption that occurred during the pandemic, from supply chain challenges to financial struggles, changes or disruptions in the business cycle can materially alter the enterprise risk profile.

Management next steps

• Review impact to business, system, controls, and other reporting factors
• Revisit your enterprise risk management protocol and conduct a supplementary risk assessment to help assess if appropriate internal controls provide coverage for unexpected threats