Keeping your controls reporting active under COVID-19
May 01, 2020
In responding to the complex challenges this coronavirus (COVID-19) pandemic has created, technology has proved to be a way forward for many businesses. Those who invested in technology have seen that pay off in terms of the relative ease with which they have been able to shift to a remote digital workforce.
As organisations now seek new ways to undertake their business, the expectation is that they will continue to deliver more services remotely. They are having to think creatively in deploying resources and servicing customers.
Meanwhile, companies that outsource their processes and technology to third parties are scrutinising how these third parties are managing this strain on their operations and the resiliency of the overall service. Every organisation has had to change their processes/controls to adapt.
But it’s important to note that regulators, whilst helpful in publishing guidance for companies to follow in these testing times, are not expecting the governance processes and the overall control environment to deteriorate.
So how does a service organisation keep the processes and controls operating?
I have listed five key things service providers can consider when delivering their services during a crisis:
- Consider - Consider the impact of ‘black swan’ events such as COVID-19. Conduct a risk assessment and map processes under the new operating circumstances. This should include how service delivery changes and the impact on controls (e.g., if there is a need to carry out a monthly physical security check on the data centres, how will this impact under lockdown?)
- Identify - Identify how your service delivery processes and controls have changed, including the people operating those processes.
- Evaluate the controls. Are there any new risks that might materialise and, if so, how do the controls mitigate this new risk? Do you need to introduce new controls for part of the year or for the period under lockdown or if employees are self-isolating?
- Retain - Retain evidence of management decisions made and how risks are mitigated or managed. This will help satisfy both customers and the auditors.
- Communicate - Clearly communicating the steps taken by the service provider and taking the customer on this journey will help the service provider build trust and reinforce service commitment standards. Customers will expect a change; if the service provider didn’t have to change, a note in the management statement will help customers form a view. As every organisation has changed some of the operation of the controls during this period, this is likely to be in the minority. But it is useful to also be aware that the regulators are expecting auditors to remain particularly skeptical during these times – so a report that is silent on the impact of COVID-19 is likely to attract more questions from stakeholders.
Stakeholders may have accepted these altered circumstances, but their expectations haven’t changed – it's down to the service provider to ensure these expectations are met. And transparency even more so; it is becoming the need of the hour.